RDC RemoteApp: How do users change their password?

How to create a password change GUI for RemoteApp using PowerShell.

***UPDATE***

Here is the source: http://poshcode.org/1910

*************

I recently ran into a very interesting scenario with RDC RemoteApp. Basically, we had a client that was using RDC RemoteApp to deploy a medical related application. For their deployment scenario they wanted to create and distribute RDP files to remote users who were not on the organization’s internal network. After semi-going live with their deployment they turned to us and asked, “What about password changes?”

To be honest, I never gave password changes much thought with RemoteApp. After all, with most deployments the user has a desktop that is a member of the domain or they are coming through Web Access and we can front the password changes with something like UAG. However, with just RemoteApp via an RDP file on a non-domain member machine there really isn’t a way for users to change their password. Yes, you heard me correctly… there isn’t a way for users to change their password or get notified about impending password expiration.

To understand why this is the case you have to take two things into consideration about RemoteApp. First, the primary feature of RemoteApp is that it provides seamless windows. In other words, the application looks like it is running locally on the user’s machine. Secondly, to achieve its seamless windows magic, RemoteApp does not use Windows Explorer as the user’s shell on the RDS Session Host server. Instead, it uses RDPSHELL.EXE which loads a set of Windows event hooks into the user’s session that allow it to monitor and manage the state of all windows on the desktop. As a result, the following things are true about a RemoteApp session:

1. A user doesn’t see the desktop of the RemoteApp session.
2. A user doesn’t see password notifications.
3. Login scripts are not processed unless specified using a GPO.
4. Dialog boxes from a logon script and sometimes from the published application itself are not shown.

So… how does one work around the features of RemoteApp to allow users to change their passwords? Well the solution that I came up with involves PowerShell. While I can’t necessarily publish the source code, I can describe what I did.

Overall, I needed to provide users with a GUI to change their passwords. However, to work around RemoteApp, I had to basically write a PowerShell based GUI that was then published as the intended application. Then depending on the outcome of this GUI the actual intended application was started and the password change GUI was closed. To create the password change solution the following steps were used:

1. First, download the PowerShellPack: http://code.msdn.microsoft.com/PowerShellPack.
2. Next, grab the WPK module from the PowerShellPack and copy it into the folder that will house the future password change script.
3. Next, write a PowerShell script that does the following:
   1. Imports the WPK module.
   2. Determine when the logged on user’s password is going to expire (password policy settings can either be hard coded or determined from Active Directory).
   3. If the user’s password isn’t going to expire in a specified minimum period (say 10 days). Then intended application is just started.
   4. If the user’s password is going to expire in 10 days a password change GUI is displayed using the WPF cmdlets from the WPK module. With my GUI there were three PasswordBoxs (current password, new password, and confirm new password), two buttons (change and cancel), and a TextBlock for displaying messages.
      1. For times when the user’s password will expire within 10 days and greater then one day the GUI allows the user to cancel and launch the application.
      2. For times when the user’s password will expire in some maximum period (say less than one day) the cancel button is disabled.
   5. When a user has filled in the correct password information (old and new) they can click Change. Upon clicking Change, the Password method of the DirectoryEntry class is used to change the user’s password. Once the password has been changed, the password change GUI is closed and the intended application is started.
4. Next, a batch file needs to be created that executes the PowerShell script using the following command: powershell.exe -STA -NoProfile -WindowStyle Hidden -Command "C:\PassMan\PassMan.ps1". Notice the usage of the Hidden WindowStyle. This ensures that the PowerShell console is not shown to the user when the script is executed.
5. Finally, copy the password change GUI to all of the RDC Session Host servers and publish the batch file as a RemoteApp.

Hopefully this helps someone…

If you like this, check out some other posts from Tyson:

• Using social networks to establish a publicly verifiable level of trust…
• Which browser is more secure IE8, Safari 4, Firefox 3.5, Chrome 4, or Opera 10?
• When a computer science degree matters, and when it doesn't
• Since when did cloud computing become/need a manifesto?
• Why would one phish using a Certificate Authority (CA) as bait?
• Would I trust you, if everyone else trusted you?
• Here is a good question: Is scripting programming or just systems administration?
• Fun with PowerShell 2.0 Eventing!
• Creating a custom 404 page to handle link redirection for ASP.NET web applications

Or if you want, you can also check out some of Tyson's latest publications:

• Windows PowerShell Unleashed (2^ndEdition)
• Windows Server 2008 Unleashed (Yes, I did help on this book)

Lastly, visit the Microsoft Subnet for more news, blogs, and opinions from around the Internet. Or, sign up for the bi-weekly Microsoft newsletter. (Click on News/Microsoft News Alert)

• Microsoft
• ce
• passwords
• PowerShell
• RDC
• remoteapp