Good day to you all!
Guys tell me what I can not find, in short, there is a domain theme - right-click on the account = change password, check the box: The user must change the password... Type a temporary password for example 123456
Ideally and on many DC machines with mstsc or other client, type in the address of the RDS machine, 1. A logon window appears and then you are asked to enter your login and password, we enter our login and password 123456, then in the same logon it asks you to change your password... This is configured in the GPO and so on, but here's the thing, there are controllers or PCs which terminal server is configured so that the logon window is not issued and immediately at the above request to change the password this window is issued: https://i.stack.imgur.com/PAk4V.jpg
In short! Here's the solution!
Make an account that will not be in any group of the domain, or rather make the group empty and put it the main user, removing even from the group domain users.
We add this user to the remote desktop group on the farm gateway only.
Then we write in ANY client properties of this user together with login, password, domain, ONLY in the gateway section.
In the same connection settings write the PC (usually the 1st PC in the farm), which needs to connect.
Everything. Profit. Thank you all. The solution was found by the collective mind of my team, for which she and I, including a BIG THANK YOU!