I must admit that it was a bit embarrassing to see my Administrator password expired when I tried to log in as Domain Admin to Domain Controller. I got this little message saying
This user account's password has expired. The password must change in order to logon. Please update the password or contact your system administrator or technical support.
Everything would be relatively OK (and admittedly less embarrassing) if I weren't the system administrator and if I wouldn't tell guys working in Service Desk and similar technical positions as myself (you know Domain Admins who remember their passwords) to remember to change their passwords on Client domain before they expire. And now I am supposed to go to them and tell them to change my password because I forgot it myself. Well, that's not gonna happen!
If you've not enabled NLA (Network Level Authentication) on your servers/computers that you're trying to log in via RDP, there's one little trick you can do if it doesn't let you in instantly. Open up Remote Desktop Connection and instead of pressing connect use Save As, and save your connection file to a safe place.
Processmaker User Account Expired
I rolled out sudo (1.7.2p7) to my AIX system (6100-) some time ago. Because I was using 'sudo su -' I did not update my root password before it expired as a result of maxexpire. Now I find that the root account has expired and I cannot find any way of 'unexpiring' it. Account locking or expiry issue is one the common problem Oracle Developers might have encountered in their career. We will examine how to unlock or reset the locked or expired user account. Account Expired When trying to logon a user it says below message. Here account is expired. Why account expired:- If user is. Error The user account has expired windows is an error that you face right on your Windows login screen. I have a SQL server Login which password has recently expired. Unfortunately this password is necessary as we use it across Dev Machines for application testing purposes. I CAN'T change this password, but I need to unexpire it.
Open up a saved RDP file which should look more or less like this:
Now when you try to login with the saved session file, it should let you in. However, in my case that didn't work. Surely enough I always enable NLA. Bummer.
Fortunately, in my case, PowerShell is my friend. While it does not exactly change your expired password via RDP that you were looking for it allows you to change the expired password before you have to log in to RDP and in turn saves you from having an embarrassing moment.
This little function does magic trick of changing password remotely even if you don't have a domain-joined computer (like me). Usage is straightforward
You will be asked a series of 4 questions that you need to fill in and your password will be changed (or not if any errors will occur in the meantime).
The method above is actually based on NetUserChangePassword function. It requires TCP port 445 open (SMB) to Domain Controller. While you may be thinking that there is a simple PowerShell way to do it such as this (as suggested on Reddit)
You should aware that it will only work on non-expired passwords. LDAP will verify password prior to change.
So all you need to do is save this function for later and simply use it. Alternatively, this function is added as part of my PowerShell (I have it all) Module called PSSharedGoods where you can simply do
PSSharedGoods module actually has lots of different, sometimes weird functions that I use over and over in my modules. Feel free to explore on GitHub.
-->This article describes information about using the UserAccountControl attribute to manipulate user account properties.
Original product version: Windows Server 2012 R2
Original KB number: 305144
Summary
When you open the properties for a user account, click the Account tab, and then either select or clear the check boxes in the Account options dialog box, numerical values are assigned to the UserAccountControl attribute. The value that is assigned to the attribute tells Windows which options have been enabled.
To view user accounts, click Start, point to Programs, point to Administrative Tools, and then click Active Directory Users and Computers.
List of property flags
You can view and edit these attributes by using either the Ldp.exe tool or the Adsiedit.msc snap-in.
Active Directory User Account Expiration
The following table lists possible flags that you can assign. You cannot set some of the values on a user or computer object because these values can be set or reset only by the directory service. Ldp.exe shows the values in hexadecimal. Adsiedit.msc displays the values in decimal. The flags are cumulative. To disable a user's account, set the UserAccountControl attribute to 0x0202 (0x002 + 0x0200). In decimal, this is 514 (2 + 512).
Note
You can directly edit Active Directory in both Ldp.exe and Adsiedit.msc. Only experienced administrators should use these tools to edit Active Directory. Both tools are available after you install the Support tools from your original Windows installation media.
| Property flag | Value in hexadecimal | Value in decimal |
|---|---|---|
| SCRIPT | 0x0001 | 1 |
| ACCOUNTDISABLE | 0x0002 | 2 |
| HOMEDIR_REQUIRED | 0x0008 | 8 |
| LOCKOUT | 0x0010 | 16 |
| PASSWD_NOTREQD | 0x0020 | 32 |
| PASSWD_CANT_CHANGE You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the Property flag descriptions section. | 0x0040 | 64 |
| ENCRYPTED_TEXT_PWD_ALLOWED | 0x0080 | 128 |
| TEMP_DUPLICATE_ACCOUNT | 0x0100 | 256 |
| NORMAL_ACCOUNT | 0x0200 | 512 |
| INTERDOMAIN_TRUST_ACCOUNT | 0x0800 | 2048 |
| WORKSTATION_TRUST_ACCOUNT | 0x1000 | 4096 |
| SERVER_TRUST_ACCOUNT | 0x2000 | 8192 |
| DONT_EXPIRE_PASSWORD | 0x10000 | 65536 |
| MNS_LOGON_ACCOUNT | 0x20000 | 131072 |
| SMARTCARD_REQUIRED | 0x40000 | 262144 |
| TRUSTED_FOR_DELEGATION | 0x80000 | 524288 |
| NOT_DELEGATED | 0x100000 | 1048576 |
| USE_DES_KEY_ONLY | 0x200000 | 2097152 |
| DONT_REQ_PREAUTH | 0x400000 | 4194304 |
| PASSWORD_EXPIRED | 0x800000 | 8388608 |
| TRUSTED_TO_AUTH_FOR_DELEGATION | 0x1000000 | 16777216 |
| PARTIAL_SECRETS_ACCOUNT | 0x04000000 | 67108864 |
Note
In a Windows Server 2003-based domain, LOCK_OUT and PASSWORD_EXPIRED have been replaced with a new attribute called ms-DS-User-Account-Control-Computed. For more information about this new attribute, see ms-DS-User-Account-Control-Computed attribute](/windows/win32/adschema/a-msds-user-account-control-computed).
Property flag descriptions
SCRIPT - The logon script will be run.
ACCOUNTDISABLE - The user account is disabled.
HOMEDIR_REQUIRED - The home folder is required.
PASSWD_NOTREQD - No password is required.
PASSWD_CANT_CHANGE - The user cannot change the password. This is a permission on the user's object. For information about how to programmatically set this permission, see Modifying User Cannot Change Password (LDAP Provider).
ENCRYPTED_TEXT_PASSWORD_ALLOWED - The user can send an encrypted password.
TEMP_DUPLICATE_ACCOUNT - This is an account for users whose primary account is in another domain. This account provides user access to this domain, but not to any domain that trusts this domain. This is sometimes referred to as a local user account.
NORMAL_ACCOUNT - This is a default account type that represents a typical user.
INTERDOMAIN_TRUST_ACCOUNT - This is a permit to trust an account for a system domain that trusts other domains.
WORKSTATION_TRUST_ACCOUNT - This is a computer account for a computer that is running Microsoft Windows NT 4.0 Workstation, Microsoft Windows NT 4.0 Server, Microsoft Windows 2000 Professional, or Windows 2000 Server and is a member of this domain.
SERVER_TRUST_ACCOUNT - This is a computer account for a domain controller that is a member of this domain.
DONT_EXPIRE_PASSWD - Represents the password, which should never expire on the account.
MNS_LOGON_ACCOUNT - This is an MNS logon account.
SMARTCARD_REQUIRED - When this flag is set, it forces the user to log on by using a smart card.
TRUSTED_FOR_DELEGATION - When this flag is set, the service account (the user or computer account) under which a service runs is trusted for Kerberos delegation. Any such service can impersonate a client requesting the service. To enable a service for Kerberos delegation, you must set this flag on the userAccountControl property of the service account.
NOT_DELEGATED - When this flag is set, the security context of the user is not delegated to a service even if the service account is set as trusted for Kerberos delegation.
USE_DES_KEY_ONLY - (Windows 2000/Windows Server 2003) Restrict this principal to use only Data Encryption Standard (DES) encryption types for keys.
DONT_REQUIRE_PREAUTH - (Windows 2000/Windows Server 2003) This account does not require Kerberos pre-authentication for logging on.
PASSWORD_EXPIRED - (Windows 2000/Windows Server 2003) The user's password has expired.
TRUSTED_TO_AUTH_FOR_DELEGATION - (Windows 2000/Windows Server 2003) The account is enabled for delegation. This is a security-sensitive setting. Accounts that have this option enabled should be tightly controlled. This setting lets a service that runs under the account assume a client's identity and authenticate as that user to other remote servers on the network.
PARTIAL_SECRETS_ACCOUNT - (Windows Server 2008/Windows Server 2008 R2) The account is a read-only domain controller (RODC). This is a security-sensitive setting. Removing this setting from an RODC compromises security on that server.
UserAccountControl values
These are the default UserAccountControl values for the certain objects:
User Account Has Expired
- Typical user: 0x200 (512)
- Domain controller: 0x82000 (532480)
- Workstation/server: 0x1000 (4096)
