The following are possible reasons why the accounts can be disabled:

• When objects in Active Directory are deleted, they are removed from their current Active Directory or ADAM/AD LDS container. They are converted into tombstones and placed in the Active Directory Deleted Objects container where their tombstone lifetime is monitored. By default, NetBackup restores deleted objects from this container if the tombstone lifetime has not passed.

  After the tombstone lifetime passes, the tombstones are purged from the Active Directory Deleted Objects container. Purging the tombstones has the effect of permanently deleting the objects from the Active Directory and ADAM/AD LDS databases.

• When restoring user objects, you must reset the object's user password and enable the object's user account:

  • For Active Directory user objects, use the Microsoft Active Directory Users and Computers application.

  • For ADAM/AD LDS user objects, use ADSI Edit.

  In Active Directory, computer objects are derived from user objects. Some attributes that are associated with a computer object cannot be restored when you restore a deleted computer object. They can only be restored if the attributes were saved through schema changes when the computer object was originally deleted.

• Computer object credentials change every 30 days and the credentials from the backup may not match the credentials that are stored on the actual computer. When a computer object is restored it is disabled if the userAccountControl property was not preserved in the deleted object.

  Use the Microsoft Active Directory Users and Computers application to reset the account of a computer object:

  • Remove the computer from the domain.

  • Re-join the computer to the domain. The security identifiers (SID) for the computer remains the same since it is preserved when a computer object is deleted. However, if the tombstone expired and a new computer object was recreated, the SID is different.