When working with Windows Server 2012 Terminal Services or Remote Desktop sessions, the standard password change shortcut (CTRL+ALT+DEL or CTRL+ALT+END) presents a unique challenge. These key combinations are often intercepted by the local machine or remote desktop client before reaching the terminal server session.
The most straightforward method is using the command prompt:
:: For changing your own password:
net user %username% *
:: You'll be prompted to enter new password twice
:: For administrators changing another user's password:
net user target_username new_password /domain
For more advanced scenarios, PowerShell provides several options:
# Method 1: Using Set-ADAccountPassword
Import-Module ActiveDirectory
Set-ADAccountPassword -Identity $env:USERNAME -Reset -NewPassword (ConvertTo-SecureString -AsPlainText "NewP@ssw0rd!" -Force)
# Method 2: For non-admin users to change their own password
$credential = Get-Credential
Set-ADAccountPassword -Identity $env:USERNAME -OldPassword $credential.Password -NewPassword (ConvertTo-SecureString -AsPlainText "NewP@ssw0rd2!" -Force)
You can create a desktop shortcut with this target:
rundll32.exe keymgr.dll,KRShowKeyMgr
This launches the stored credentials manager where users can modify their passwords.
Several GUI-based alternatives exist:
- Press Windows key and type "credential manager" to access stored credentials
- Right-click on Computer -> Manage -> Local Users and Groups (for local accounts)
- Use the IIS Manager if the server has IIS installed (Server Manager -> Tools)
For administrators managing multiple users:
dsa.msc
Then navigate to the user object in Active Directory Users and Computers.
When implementing these alternatives:
- Password policies still apply (complexity, length, history)
- Some methods may require admin privileges
- Audit password change events in security logs
- Consider implementing multi-factor authentication
When working with Windows Server 2012 Remote Desktop Services (RDS), administrators often encounter the challenge of password changes due to the CTRL+ALT+END key combination conflict. This standard Windows security sequence gets intercepted by the local machine when using Remote Desktop, creating accessibility issues.
Here are several technical approaches to bypass the keyboard shortcut requirement:
# PowerShell method using DirectoryServices
$user = [ADSI]"LDAP://CN=username,OU=Users,DC=domain,DC=com"
$user.ChangePassword("oldPassword", "newPassword")
$user.SetInfo()For frequent password changes, consider building a simple C# application:
using System.DirectoryServices;
public void ChangeADPassword(string username, string oldPwd, string newPwd)
{
DirectoryEntry user = new DirectoryEntry(
"LDAP://CN=" + username + ",OU=Users,DC=domain,DC=com");
user.Invoke("ChangePassword", new object[] {oldPwd, newPwd});
user.CommitChanges();
}For environments where PowerShell isn't available, a VBScript solution works well:
Set objUser = GetObject("LDAP://CN=username,OU=Users,DC=domain,DC=com")
objUser.ChangePassword "oldPassword", "newPassword"
objUser.SetInfoFor enterprise environments, implementing an IIS-hosted ASP.NET page provides the most flexible solution. This example shows the core functionality:
protected void btnChangePassword_Click(object sender, EventArgs e)
{
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
{
using (UserPrincipal user = UserPrincipal.FindByIdentity(
context, IdentityType.SamAccountName, txtUsername.Text))
{
user.ChangePassword(txtOldPassword.Text, txtNewPassword.Text);
user.Save();
}
}
}When implementing programmatic password changes:
- Always use secure channels (LDAPS or TLS)
- Implement proper input validation
- Log password change events
- Consider multi-factor authentication for sensitive accounts
If encountering "Access Denied" errors:
- Verify the account has "Change Password" permissions
- Check if password complexity requirements are met
- Confirm the account isn't locked out
- Validate the domain controller is reachable