Since server 2008 Microsoft introduced higher security on RDP sessions with NLA. If you have a company that never logs in to the domain controller using a pc and policy dictates that people should change passwords at first login this is impossible.
however, you can fix this by going to the collection, edit the properties and select Security.
Disable ‘Allow connections only from computers running Remote Desktop with Network Level Authentication’
Save and now you’re done!