Would you like to see the site in a different language?

English
English Español Italiano Português do Brasil Português Français Русский 日本語 Polski 简体中文 繁體中文 Türkçe 한국어 Čeština العربية Bahasa Indonesia Tiếng Việt Nederlands ไทย Magyar Slovenčina Svenska Ελληνικά Română فارسی Dansk Български Suomi Hrvatski Norsk bokmål Català Bahasa Melayu हिन्दी Tagalog English (UK)
Change language
Table of Contents

Using Ctrl + Alt + End to Change RDP Password

A fundamental challenge when working within RDP sessions is that the local system often captures system-wide keyboard shortcuts like Ctrl + Alt + Del. To overcome this, Microsoft provides a session-specific alternative: Ctrl + Alt + End.

Understanding the Ctrl + Alt + End Shortcut

Ctrl + Alt + End emulates Ctrl + Alt + Del within a Remote Desktop session. This combination opens the Windows Security screen, allowing access to multiple options including:

  • Lock the session
  • Log off
  • Start Task Manager
  • Change a password

This is the recommended method for domain-joined users and for remote servers where GUI access is enabled.

When It Works and When It Doesn’t

This method requires:

  • A full RDP desktop session (not RemoteApp)
  • Windows OS version that supports the Windows Security screen
  • Proper user rights to change passwords (e.g., not disabled via Group Policy)

In minimal or headless environments, this method might be unavailable due to restricted GUI features.

Changing RDP Password Using the On-Screen Keyboard (OSK)

For environments with limited keyboard functionality—such as thin clients, virtual machines, or tablet-based access—the Windows On-Screen Keyboard (OSK) offers an alternative way to simulate Ctrl + Alt + Del.

Step-by-Step Guide to Using OSK for Password Change

  1. Launch the On-Screen Keyboard; Press Win + R, type osk, and press Enter.
  2. Simulate Ctrl + Alt + Del
    • Hold Ctrl and Alt on your physical keyboard.
    • Click the Del key on the OSK.
  3. Open Password Change Interface
    • From the Windows Security screen, click Change a password.
    • Enter the current password, new password, and confirmation.

This method works regardless of the physical keyboard limitations and is particularly useful in virtual environments where USB passthrough is restricted.

How to Change Password Over RDP Using Command Line Tools

Command-line methods are ideal for IT administrators allowing scripted or remote changes without navigating through GUI menus. This is particularly helpful when managing multiple user accounts or automating password rotation.

net user command (local or remote usage)

The net user command is a simple and effective tool:

net user username newpassword

Requirements:

  • Must be run from an elevated Command Prompt
  • Requires local administrator rights or remote PowerShell/SSH access
  • Target user must exist on the local machine or be reachable in the domain

Example:

net user admin SecurePass2025!

Use this carefully—passwords passed in plaintext can be exposed via command history or process monitoring tools.

Security Note

Avoid scripting net user with plaintext passwords unless it is within a secure, encrypted deployment framework (e.g., PowerShell DSC or encrypted credential vaults).

Changing Passwords via PowerShell (Local & Domain)

PowerShell offers modern, object-oriented control over user accounts, both in local machines and in Active Directory environments.

Set-LocalUser for Local Accounts

This cmdlet allows secure password changes on standalone or non-domain machines:

Set-LocalUser -Name "johndoe" -Password (ConvertTo-SecureString "N3wSecureP@ss" -AsPlainText -Force)

Requirements:

  • Windows PowerShell 5.1 or later
  • Local administrator privileges

Set-ADAccountPassword for Domain Accounts

To change a domain user's password:

Set-ADAccountPassword -Identity "johndoe" -NewPassword (ConvertTo-SecureString "NewDomP@ss123!" -AsPlainText -Force) -Reset

Additional best practices:

  • Import the AD module: Import-Module ActiveDirectory
  • Run PowerShell as a domain admin or delegated administrator

Credential Security

Always avoid embedding passwords in plain text—use secure strings or secure vaults (e.g., Azure Key Vault, Windows Credential Manager).

Changing RDP Password via Administrative Tools

Windows offers built-in consoles for managing users and resetting passwords efficiently, especially in Active Directory or multi-user terminal environments.

Using Computer Management (compmgmt.msc)

For local users:

  1. Open compmgmt.msc
  2. Navigate to Local Users and Groups > Users
  3. Right-click the target user → Set Password
  4. Follow the dialog to reset the password securely

Using Active Directory Users and Computers (ADUC)

For domain-joined environments:

  1. Launch dsa.msc or ADUC from RSAT tools
  2. Locate the user → Right-click → Reset Password
  3. Enforce password policies, expiration, and next login prompts

ADUC also integrates audit logging and delegation capabilities, which is critical for IT compliance.

Using VBS or Shell Scripts to Trigger Password Dialogs

When GUI access is restricted, or you're automating password changes across systems, scripting offers a workaround to open the password change dialog.

Visual Basic Script (VBS)

Save the following content into ChangePassword.vbs:

Set objShell = CreateObject("Shell.Application")

objShell.WindowsSecurity

Running this script in the RDP session will simulate Ctrl + Alt + Del.

Shell Folder Command

Run this in PowerShell or via Run:

explorer.exe shell:::{2559a1f2-21d7-11d4-bdaf-00c04f60b9f0}

This launches the same Windows Security menu where the Change a password option appears.

Note: These methods rely on shell access being permitted. GPO restrictions may block them.

Handling Expired Passwords in Remote Desktop

When a password expires, the RDP client may reject login attempts without offering an option to reset the password—especially in older or restricted configurations.

Typical Behaviour

In many RDP setups:

  • The session closes immediately on login failure
  • No option to change the password is offered
  • The error message may vary (e.g., “The username or password is incorrect”)

Solutions

  1. Preempt Expiration Warnings: Configure Group Policies to show expiration alerts and allow users to change passwords in advance.
  2. Enable NLA Password Change: Set the AllowPasswordReset policy in RDP host or client configurations.
  3. Admin Reset: Use ADUC or PowerShell to reset the user’s password manually.
  4. Web Portal Integration: Deploy self-service password reset portals with multi-factor authentication.

Secure Your RDP Infrastructure with TSplus Advanced Security

While changing passwords is a critical aspect of remote desktop management, true protection requires layered defence. TSplus Advanced Security enhances your RDP infrastructure with powerful tools like IP filtering, brute-force protection, and time-based access control. Designed for IT professionals, it helps enforce security policies and block threats proactively—ensuring robust, centralized control over all remote access points in your organization.

Conclusion

Managing password changes in Remote Desktop environments is a vital task for ensuring user security and maintaining operational integrity across remote systems. From keyboard shortcuts and command-line tools to advanced scripting and administrative interfaces, IT professionals have a wide range of options to facilitate secure password management. By mastering these techniques and pairing them with robust tools like TSplus Advanced Security organizations can confidently safeguard their RDP infrastructure against evolving threats.

Share:

Facebook Twitter LinkedIn

Your TSplus Team

Related Posts

back to top of the page icon