How-To: Change Password in a Nested RDP Session

Practicing good IT security is not always convenient. It can be tedious to change passwords without a dedicated password tool, but password rotation is a necessary step.  Even though I don’t have an ideal tool for this task, I will show you how to rotate the local admin password on one of our servers.  So, let’s log in and change it:

The Problem

With previous versions of Windows, this was a bit easier.  However, Server 2012 made some changes from 2008 that require additional steps since it doesn’t have “Windows Security.”  (For the tl;dr on how to do it, click HERE)

From your workstation, you would remote desktop (RDP) to our Jump Box, then remote desktop to the server. Then you click on “Windows Security”:

You can still change it by going to “Computer Management” and then \Local Users and Groups\Users\ right-clicking on the administrative user and selecting “set password”:

However, Server 2012 will present a warning, as this is not the recommended way for a variety of reasons; including encypted file system (EFS) issues

If you press CTRL+ALT+DEL as instructed, you will receive a prompt on our local workstation.

If you press CTRL+ALT+END, as we’ve learned from years of RDP, you will receive a prompt on our Jump Box:

At this point, it seems you are stuck – an unintended consequence of Microsoft’s changes from Server 2008 to 2012. So how do you safely change my local admin password?

The Solution

1

For tablet and accessibility support, Windows includes an on-screen keyboard (OSK)! Start -> Run -> osk.exe or search for osk:

**NOTE: When you type CTRL+ALT+DEL on the OSK, it also gives a warning!

2

Hold down CTRL+ALT on your physical keyboard and click DEL on the OSK:

 3

The correct “Change Password” prompt will finally appear:

This may seem more inconvenient since there is not a dedicated tool. But this method addresses the problem without having to utilize a tool, so you can secure your password quickly and move onto other tasks.

Credit for this post should be shared with friend of SealingTech, Tony Pimenta.

Posted in