Today I wanted to talk a change that Microsoft did for domain join.
After the 11 October 2022 the KB5020276 introduce some concept change that will help a lot to make domain join error free.
I will quote the legacy behavior;
Before you install the October 11, 2022, or later cumulative updates, the client computer queries Active Directory for an existing account with the same name. This query occurs during domain join and computer account provisioning. If such an account exists, the client will automatically attempt to reuse it.
Note The reuse attempt will fail if the user who attempts the domain join operation does not have the appropriate write permissions. However, if the user has enough permissions the domain join will succeed.
There are two scenarios for domain join with respective default behaviors and flags as follows:
Domain Join (NetJoinDomain)
Defaults to account reuse (unless NETSETUP_NO_ACCT_REUSE flag is specified)
Account provisioning (NetProvisionComputerAccountNetCreateProvisioningPackage).
Defaults to NO reuse (unless NETSETUP_PROVISION_REUSE_ACCOUNT is specified.)
After the change there is an addional security check that is done.
- Account reuse will be permitted if done by the account creator.
- Account reuse will be permitted if done by a member of the domain admin’s group.
That way if you have delegated the domain join task it enforce more security for account name.
Following that change you can see that error message; which would be normal if the two conditions are not met.
Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”
Some more information on additional’s step that can be done;
Review computer account provisioning workflows and understand if changes are required.
Perform the join operation using the same account that created the computer account in the target domain.
If the existing account is stale (unused), delete it before attempting to join the domain again.
Rename the computer and join using a different account that doesn’t already exist.
If the existing account is owned by a trusted security principal and an administrator wants to reuse the account, they might do so by temporarily setting the following registry key at the individual client computer level. Then immediately remove the registry setting after the join operation is complete. No restart is necessary for changes to the registry key to take effect.
Other values are ignored.
Important guidance for using option 4
Caution: If you choose to set this key to work around these protections, you will leave your environment vulnerable to CVE-2022-38042 unless your scenario is referenced below as appropriate. Do not use this method without confirmation that the Creator/Owner of the existing computer object is a secure and trusted security principal.
It is appropriate to use solution 4 in the following scenarios:
An IT admin with delegated permissions needs to rejoin a computer to the target domain for troubleshooting purposes and the original account creator is a trusted account.
A deployment scenario in which computer accounts are created before using a dedicated service account (such as SCCM or other software) and the domain join is performed by a second dedicated account with delegated domain-join permissions (for example, “This account is allowed to join this computer to the domain”).
Microsoft might remove support for the NetJoinLegacyAccountReuse registry setting in a future update and replace it with an alternative method. This article will be updated if and when such changes take place.
Do not add service accounts or provisioning accounts to the Domain Admins security group.
Do not manually edit the security descriptor on computer accounts in an attempt to redefine the ownership of such accounts. While editing the owner will enable the new checks to succeed, the computer account might retain the same potentially risky, unwanted permissions for the original owner unless explicitly reviewed and removed.
Do not add the NetJoinLegacyAccountReuse registry key to base OS images because the key should only be temporarily added and then removed directly after the domain join completes.
The article in reference is; KB5020276—Netjoin: Domain join hardening changes