Windows (many versions) caches old AD-account information

Windows – both client and server, in many versions – caches old AD-account information.

Most often, this gives problems, when a user changes their username in AD, but on another server, the old username is cached and associated with the users SID. So when a username for a given SID is requested on the other server, the old username is returned.

The reasoning behind the functionality can be found here:

The LsaLookupSids function may return the old user name instead of the new user name if the user name has changed

The cache can be disabled by inserting DWORD 0 in registry-key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa\LsaLookupCacheMaxSize

This article gives no other method to reset the cache – apart from restarting the server.

Other users have found better solutions – such as running the short 2-line PowerShell given below, which updates the cached AD-information for the given user.

http://serverfault.com/questions/266180/purging-ad-principal-from-cache

$objuser = new-object system.security.principal.ntaccount “domain\<new account name>”
$objuser.translate([system.security.principal.securityidentifier])