I have a situation where I am forced to use a server (Windows 2012 R2) that is NOT part of a domain, and does NOT have AD. This is not my choice, is not optimal, but out of my control.
I also have local users that connect to this server through RDP, and the local users have a password expiration policy.
Since AD/Exchange is not part of the picture, the users receive no notification that their passwords are about to expire.
The problem is when a user's password has expired and they try to login using a Remote Desktop Connection. It does not allow them to change their password.
I have unchecked the "Allow connections ONLY from computers running Remote Desktop with Network Level Authentication" from the server side, so the server is NOT requiring NLA from incoming RDP sessions.
However, when using Windows Remote Desktop Connection Manager, it seems to be forcing NLA.
If I am using the "Terminals" Remote Desktop Client, there is an option on the client side, to disable using "Network Level Authentication". If I disable NLA through the Terminals client, and I connect to the server, it allows me to change the users expired password.
I am making the assumption, perhaps incorrectly, that the Terminals program is just sitting on top of Windows Remote Desktop Connection protocols, and that if you can disable Network Level Authentication client side through the Terminals program, then you should also be able to disable this through Windows built-in Remote Desktop Connection Manager. Unfortunately, I do not see this option in the connection managers GUI, and I do not see any parameters in ".RDP" files specific to NLA.
If I click "About" on the client side Remote Desktop Connection Manager, it tells me that "Network Level Authentication supported". The wording leads me to believe that using it is optional, but again, I see no way to turn it off in the connection manager. BTW, this particular connection manager is v10.