We have two separate, untrusted forests - DMZ and production.
Production is at DFL/FFL 2008.
DMZ is at DFL/FFL 2012R2
I changed a password for an account in the DMZ forest, setting it to
require change at next logon.
User cannot RDP from machine in production forest to machine in DMZ
forest because the password must be changed first.
User cannot change password on machine in production forest for
account in DMZ forest using ALT+CTRL+DEL, because he's getting the
message:
"configuration information could not be read from the domain controller,
either because the machine is unavailable, or access has been denied."
I know I can unset the requirement to change the password at next
logon, but that seems silly, because then I can't enforce having him
change it without standing over his shoulder while he does it.
How the heck can I do this? I've tried with my own user accounts, and
have confirmed the problem.
Kurt
