Issues with domain membership after system restore

The Issue
Domain connected computers that perform a System Restore from a Restore Point older than twice the computer account change period will lose access to network resources. By default the computer account change period is 30 days. This issue is acknowledged by Microsoft and goes back to Windows XP:
https://support.microsoft.com/en-us/kb/295049

Windows XP allowed Restore Points to be aged with the use of the RPLifeInterval registry key but this has been deprecated since Windows Vista.
https://support.microsoft.com/en-us/kb/295659

The resolution
If the security team allow, increase the computer account change period to the same as the user password expiry. For most organisations this will be 60 days. This setting must be changed in a domain root linked group policy object i.e. at the same level as the "default domain policy".
https://support.microsoft.com/en-us/kb/259576
The setting is found here:
Computer\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain member: Max machine account password age = 60 days

The second and most important part of the solution is to script the deletion of Restore Points that are older than the machine password. Most client workstations will not have the RSAT tools installed so the PowerShell command Get-ADComputer will not be available. Instead the following LDAP query will return the age of the Machine Password:

$Searcher=[adsiSearcher]"(&(ObjectClass=Computer)(Name=$env:COMPUTERNAME))"
$Searcher.PropertiesToLoad.AddRange('pwdLastSet')
$Searcher.FindAll() |`
 %{$PasswordLastSet=[datetime]::FromFileTime($_.Properties['pwdlastset'][0])}

The function Delete-ComputerRestorePoints will be leveraged to perform the removal:
https://gallery.technet.microsoft.com/scriptcenter/Script-to-delete-System-4960775a/view/Discussions

This is called by:

Get-ComputerRestorePoint |`  
 Where {$_.ConvertToDateTime($_.CreationTime) -lt  $PasswordLastSet} | `
Delete-ComputerRestorePoints  

Finally if all restore points have been removed a new one will be created:

If (!(Get-ComputerRestorePoint))  
{
    CheckPoint-Computer -Description "Initial RP"
}

The whole script can be found here:
https://github.com/gbuktenica/Clean-SystemRestore
This can be deployed via Group Policy Scripts or better Group Policy Preferences to push the file and Scheduled Tasks to run daily. If using a scheduled task this will need to run "elevated".

To test the script do the following in an elevated prompt:
1. Create a restore point.
CheckPoint-Computer -Description "Test" 2. Confirm restore point created.
Get-ComputerRestorePoint 3. Reset the machine password.
Reset-ComputerMachinePassword -Credential DomainAdmin 4. Run the script
5. Confirm restore point deleted.
Get-ComputerRestorePoint