Issues with domain membership after a system restore
- If you use System Restore after the password change interval expired one time, and you restore the computer to a point before the password changes, the next password change may not occur when it is due. Instead, the operating system treats the restore as if the password was changed.
- If you use System Restore after the password change interval expired two times, and you restore the computer to a point before the password changes, the domain users accounts on the computer are disabled, and users receive an error message when they try to log on.
The behavior that is described in the "Symptoms" section occurs because System Restore only rolls back the local computer state. Part of the information about joining domains resides in the Active Directory directory service, and System Restore does not roll back Active Directory.
For the first symptom, the delayed password change occurs because System Restore rewrites the LSA secret with the password with the same values. This rewrite updates the time stamp on the secret that the Netlogon service uses to decide about the password change time stamp. For the second symptom, there is no locally stored password that matches the machine account password in Active Directory.
To resolve the second symptom, use one of the following methods:
- Remove the computer from the domain, and then readd it to the domain.
- Undo the restoration.
For more information, click the following article number to view the article in the Microsoft Knowledge Base:
Article ID: 295049 - Last Review: 12/06/2015 01:52:43 - Revision: 4.1
- kbnosurvey kbarchive kbnetwork kbprb KB295049