Password Change Possibillity in the NLA Protocol.
An item that is coming up as a recommendation in security scans every year is that NLA should be set to exclusively on for our server environments. NLA is a great concept. It works well to help secure the server environment. That said, it also complicates things for users in the environment when password resets occur via the help desk.
To prevent a situation where the Help Desk staff have passwords to potentially sensitive accounts after reset, many regulations require that the "Change Password at Next Logon" bit be checked after a password reset occurs.
In my testing, I have not found a way to do this on a server with NLA turned on. If you search around the net for people who have the same problem, you are either instructed to install the RD Web features and enable that functionality or use a 3rd party solution.
To me this is an unacceptable workaround. Many enterprises do not wish to open themselves up to allow password resets over an internal website and would rather just reset the password in flight as done in situations where NLA is turned on.
This issue is really a pain. Would be nice to get it solved.
Mirko Strik commented
I only can support this request to solve this issue. We had and have to put in already to much effort regarding this issue.
Christoph Büche commented
Thank you for forward this to the correct forum...