Windows Server – Change Your Password in an RDP Session (Send Ctrl+Alt+Del)

KB ID 0001183 

Problem

Colleague: Windows Server, Where’s Windows Security gone?

Me: Eh?

Colleague: Windows Security!

Me: What are you trying to do?

Colleague: I want to change my password and I can’t send a Ctrl+Alt+Delete to the remote server.

Well I know that pressing Crtl+Alt+Delete would let you change your password like so;

I wasn’t aware that in Server 2008 and earlier if you were connected via RDP you got a ‘Windows Security’ option that lets you do the same, like so;

This is because if you press Ctrl+Alt+Delete it will execute on YOUR machine not the remote one. But this option is not included in Windows 2012 any more.

Solution

Well you can just normally use Ctrl+Alt+END while in an RDP session. But like me, my colleague was using a Mac and we don’t have an END key!

Mac OSX Sent a Ctrl+Alt+END Sequence

If your RDP connected from OSX then use Ctrl+Alt+Fn+Backspace

If your RDP connected using a Mac Keyboard, or from a VM session on your Mac (i.e. from a VMware Fusion Windows Machine), then use Ctrl+Alt+Fn+Right-Arrow.

Other Solution

From within the RDP session, launch the on-screen keyboard, (Start > Run > osk). Then Press Ctrl+Alt on your physical keyboard, and click the delete key on the on-screen keyboard with your mouse cursor like so;

 

 

BETTER Solution

Within the RDP session open powershell and run the following command;

[box]

(New-Object -COM Shell.Application).WindowsSecurity()

[/box]

 

Or use the following VB shortcut.

[box]

Set objShell = CreateObject("Shell.Application")
objShell.WindowsSecurity

[/box]

Scalable Solution (Create Password Reset Shortcut)

Create a shortcut for;

[box]

explorer.exe shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}

[/box]

 

Note: If you have a bunch of  RDP servers you wanted to roll this out to, you can set it up on your administrative account, capture your start menu to an XML file, and then distribute that start menu to all your users via group policy, (not available with server 2012 or earlier).

Related Articles, References, Credits, or External Links

NA

Windows – Lost / Forgotten Password?

KB ID 0000755

Problem

There are many reasons why you might want to do this, someone has managed to change a user password and that person is not available, you might simply have forgotten it. Or you might have been given a machine, or bought one from ebay that has come without a password. Also there have been a few times when a user has looked me in the eye and said “I’m typing my password in, but it’s not working”, I have never seen a password change on it’s own, so I will just put that down to the evil password gremlins.

The procedure will also work on the Windows local administrators password, just bear in mind that his account is disabled by default, (after Windows 8). This procedure will not work if the machine in question has had its hard drive encrypted using BitLocker.

You can use this procedure to blank, (or reset) a Domain Controllers DSRM (Directory Services Restore Mode) password.

You can avoid this procedure if you have access to another account on this machine that has administrative access. If you can log on as an administrator, then you can change the password of other local accounts on the affected machine without the need to do this.

Solution

How to Burn the ISO Disc Image

1. Download the Password Reset CD Image.

2. Download ImgBurn and install, Launch the program, if it does not look like this you need to select View >EX-Mode-Picker. Select the ‘Write image file to disc’ option.

2. The file you downloaded is a zip file that contains the disk image, you will need to extract the image from the zip file (i.e. drag it to your desktop). From within ImgBurn launch the browse option and navigate to the disk image you have just extracted > Open.

3. Select the burn to disc icon (Note: This will be greyed out, until there is a blank CD in the drive). The image is very small, it will not take long to burn.

Carry Out a Windows 8 Password Reset.

This procedure uses the boot CD you have just created, for it to work you need to make sure the machine will attempt to boot to its CD/DVD Drive before it boots to its hard drive. (Or it will simply boot into Windows again). This change in ‘Boot Order’ is carried out in the machines BIOS, how you enter this varies depending on machine vendor, when you first turn on the machine watch for a message that looks like Press {key} to enter Setup. Typically Esc, Del, F1, F2, or F9. When in the BIOS locate the boot order and move the CD/DVD Drive to the top of the list.

1. Boot your machine from your freshly burned CD, when you see this screen simply press {Enter} to boot.

2. Depending on how many disks/partitions you have it will discover them and assign a number to each one, here I only have 1 so I will type ‘1 {Enter}’.

Note: You may see a small 300Mb partition, ignore that. You may also see your machines recovery partition if it has one, if that’s the case you may have to carry out some trial and error to get the right one.

3. The system is set to look for the default registry location C:WindowsSystem32Config so simply press {Enter}. If it fails at this point you selected the wrong drive/partition.

4. We want password reset so select option 1.

5. We will be editing user data and passwords, so again select option 1.

6. You will be presented with a list of the user objects that it can locate, here I want to reset the password for the ‘PeteLong’ user object so simply type in the username you want to edit.

Note: As mentioned you can see here the administrator account is disabled, if you want to work with that account, you will need to unlock and enable it on the next screen before you blank or change the password.

7. You can choose option 2 and type in a new password, but I’m going the blank the password, then change it when I get back into the machine by selecting option 1.

8. To step back you need to enter an exclamation mark.

9. Enter a ‘q’ to quit.

10. To write the changes you have made enter a ‘y’.

11. As long as you are happy, and have no other accounts that need changing, enter ‘n’.

12. Now remove the boot CD, and press Ctrl+Alt+Delete to reboot the machine.

13. As the user object we are dealing with was the last one that has logged on, it will select that account as soon as the computer boots, and now it has a blank password it will automatically log on.

14. To change the password, press Ctrl+I > Change PC settings.

15. Users > Create a password.

16. Type and confirm your new password, and enter a password hint > Next.

17. Log off the account and test the new password.

 

Related Articles, References, Credits, or External Links

NA

Cisco AnyConnect – Allow Domain Password Change via LDAP

KB ID 0001273 

Problem

 

If you have remote users who connect via VPN, and a policy that forces them to change their password periodically, this can result in them getting locked out without the ability to change their password (externally).

If your Cisco ASA is using LDAP to authenticate your users, then you can use your remote AnyConnect VPN solution to let them reset their passwords remotely.

Solution

Standard LDAP runs over TCP port 389, to allow the ASA to reset the password for the users, it needs to be connected via LDAPS ((TCP Port 636). Your AD server needs to be able to authenticate via LDAPS, by default it will not. I’ve already covered how to set that up in another post see the following article.

Windows Server 2012 – Enable LDAPS

So, assuming your AD server(s) that the Cisco ASA is authenticating against is already setup, you need to ensure that your AAA Settings for LDAP is set to use port 636.

Enable LDAPS via Command Line

On my test network I only have one LDAP server in my LDAP AAA group, you may need to repeat this procedure for each one in yours.

[box]

Petes-ASA(config)# aaa-server TEST-LDAP-SERVER (inside) host 192.168.110.10
Petes-ASA(config-aaa-server-host)# server-port 636

[/box]

Enable LDAPS From within the ASDM

Log into the ADSM  > Configuration > Device Management > Users/AAA  > Select the LDAP Server Group > Select the Server > Edit > Enable LDAP over SSL > Server Port = 636.

Note: If you attempt to reset a user password without LDAPS, then you will see the following error;

Unwilling to perform password change

Next you need to edit the AnyConnect connection profile to allow password resets. Or the tunnel-group if you work at command line.

Allow Password Reset via Command Line

[box]

Petes-ASA(config)# tunnel-group ANYCONNECT-PROFILE general-attributes
Petes-ASA(config-tunnel-general)# password-management password-expire-in-days 3

[/box]

Allow Password Reset via ASDM

Connect to the ADSM > Configuration > Remote Access VPN > Network Client remote Access > AnyConnect Connection Profile > Select the one for AnyConnect > Edit > Advanced > General > Password Management > Enable Password Management > Select to notify user the amount of days before his/her password expires > OK > Apply > File > Save running configuration to flash.

Now your users have the ability to reset their password remotely as they are about to expire, and when they have expired.

If you want to test with a particular user you can set his password to ‘expired’ using the following procedure;

Reset an AD Users Password Expiry Date

Related Articles, References, Credits, or External Links

NA

Freecom Tough Drive – Remove Password and CD Drive

KB ID 0000403 

Problem

I’m a big fan of Tough Drives! My old 260GB was getting a bit full – so I bit the bullet and replaced it with a shiny new Tough Drive Sport 750GB.

As it comes with password protection I turned this on – fast forward to the next day (this morning) and it’s bugging the hell out of me. I mailed the nice folk at Freecom and within twenty minutes they mailed me back with instructions to remove. (Top customer service guys!)

Solution

1. First you need to disable the password feature (if you still have it enabled), plug in the drive, locate the password CD drive and open it.

2. Run the password software.

3. Select “Remove password protection”.

4. Tap in the password.

5. Nice! Press finish.

6. Download this software and extract it to your PC.

7. Now there are two versions, if you run the wrong one you will simply see this error.

8. When the software has done its stuff, you should see this.

9. Navigate to C:WindowsTemp and delete any instance of password.exe

10. Click Start > All Programs > Startup > Delete the entry for “Password”.

11. Reboot your machine, and you are password (and drive) free 🙂

 

Related Articles, References, Credits, or External Links

Thanks to support at Freecom supportuk@freecom.com