Cannot access DPAPI data after an administrator resets your password on a Windows Server 2012 R2-based domain controller

Applies to: Windows Server 2012 R2 DatacenterWindows Server 2012 R2 EssentialsWindows Server 2012 R2 Foundation

This article describes an issue that occurs after an administrator resets a user's password on a domain controller that is upgraded to Windows Server 2012 R2. An update is available to resolve this issue, and the update has prerequisites.

Symptoms


Assume that a domain controller is upgraded from an earlier version of Windows Server to Windows Server 2012 R2. After an administrator resets a user's password in the domain, the user cannot access Windows Data Protection API (DPAPI) protected data. For example, the user cannot access the certificate private key.

Note This issue may occur when users change their password by themselves.

Cause


This issue occurs because of an incompatibility in the authentication mechanism that is used by domain controllers. If DPAPI keys are backed up on domain controllers that are running on pre-Windows Server 2012-based servers, and the same keys are retrieved from domain controllers after an upgrade to Windows Server 2012 R2, key retrieval fails after an administrator changes a user's password. 

Resolution


Important Do not install a language pack after you install this update. If you do, the language-specific changes in the update will not be applied, and you will have to reinstall the update. For more information, see Add language packs to Windows.

To resolve this issue, apply the update that is described in this article on the Windows Server 2012 R2-based domain controller. Even though this issue has only been observed in Windows Server 2012 R2, the update also applies to Windows 8.1 and Windows RT 8.1.

How to obtain the update

Method 1: Windows Update

This update is available from Windows Update.

Method 2: Microsoft Download Center

The following files are available for download from the Microsoft Download Center:
Operating systemUpdate
All supported x86-based versions of Windows 8.1Download Download the package now.
All supported x64-based versions of Windows 8.1 Download Download the package now.
All supported x64-based versions of Windows Server 2012 R2Download Download the package now.
Note The update for Windows RT 8.1 can be obtained only from Windows Update.

For more information about how to download Microsoft support files, click the following article number to view the article in the Microsoft Knowledge Base:
119591 How to obtain Microsoft support files from online services
Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help prevent any unauthorized changes to the file.

Update detail information


Prerequisites

To install this update, you must have the following update installed:

Registry information

To use the update in this package, you do not have to make any changes to the registry.

Restart requirement

You have to restart the computer after you apply this update. 

Replacement information

This update does not replace a previously released update.

Workaround


To work around this issue, revert to the user's old password.

Status


Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the "Applies to" section.

References


See the terminology that Microsoft uses to describe software updates.