Summary
Windows updates released on and after October 11, 2022, contain additional protections introduced by
CVE-2022-38042. These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain unless:
- The user attempting the operation is the creator of the existing account.
OR
- The computer was created by a member of domain administrators.
Legacy behavior
Before you install the October 11, 2022, or later cumulative updates, the client computer queries Active Directory for an existing account with the same name. This query occurs during domain join and computer account provisioning. If such an account exists, the client will automatically attempt to reuse it.
Note The reuse attempt will fail if the user who attempts the domain join operation does not have the appropriate write permissions. However, if the user has enough permissions the domain join will succeed.
There are two scenarios for domain join with respective default behaviors and flags as follows:
New behavior
Once you install the October 11, 2022, or later Windows cumulative updates on a client computer, during domain join, the client will perform additional security checks before attempting to reuse an existing computer account.
Algorithm:
- Account reuse attempt will be permitted if the user attempting the operation is the creator of the existing account.
- Account reuse attempt will be permitted if the account was created by a member of domain administrators.
These additional security checks are done before attempting to join the computer. If the checks are successful, the rest of the join operation is subject to Active Directory permissions as before.
This change does not affect new accounts.
Note After installing the October 11, 2022, or later Windows cumulative updates, domain join with computer account reuse might intentionally fail with the following error:
Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”
If so, the account is intentionally being protected by the new behavior.
Event ID 4101 will be triggered once the error above occurs and the issue will be logged in
c:\windows\debug\netsetup.log. Please follow the steps below in Take Action to understand the failure and resolve the issue.
Take Action
Review computer account provisioning workflows and understand if changes are required.
- Perform the join operation using the same account that created the computer account in the target domain.
- If the existing account is stale (unused), delete it before attempting to join the domain again.
- Rename the computer and join using a different account that doesn’t already exist.
- If the existing account is owned by a trusted security principal and an administrator wants to reuse the account, they might do so by temporarily setting the following registry key at the individual client computer level. Then immediately remove the registry setting after the join operation is complete. No restart is necessary for changes to the registry key to take effect.
| Path | HKLM\System\CurrentControlSet\Control\LSA |
| Type | REG_DWORD |
| Name | NetJoinLegacyAccountReuse |
| Value | 1
Other values are ignored. |
Important guidance for using option 4
Caution: If you choose to set this key to work around these protections, you will leave your environment vulnerable to CVE-2022-38042 unless your scenario is referenced below as appropriate. Do not use this method without confirmation that the Creator/Owner of the existing computer object is a secure and trusted security principal.
It
is appropriate to use solution 4 in the following scenarios:
- An IT admin with delegated permissions needs to rejoin a computer to the target domain for troubleshooting purposes and the original account creator is a trusted account.
OR
- A deployment scenario in which computer accounts are created before using a dedicated service account (such as SCCM or other software) and the domain join is performed by a second dedicated account with delegated domain-join permissions (for example, "This account is allowed to join this computer to the domain").
Microsoft might remove support for the
NetJoinLegacyAccountReuse registry setting in a future update and replace it with an alternative method. This article will be updated if and when such changes take place.
Nonsolutions
- Do not add service accounts or provisioning accounts to the Domain Admins security group.
- Do not manually edit the security descriptor on computer accounts in an attempt to redefine the ownership of such accounts. While editing the owner will enable the new checks to succeed, the computer account might retain the same potentially risky, unwanted permissions for the original owner unless explicitly reviewed and removed.
- Do not add the NetJoinLegacyAccountReuse registry key to base OS images because the key should only be temporarily added and then removed directly after the domain join completes.
New event logs
| Event log | SYSTEM
|
| Event Source | Netjoin |
| Event ID | 4100 |
| Event Type | Informational |
| Event Text | "During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name.%nAn attempt to re-use this account was permitted. %n%nDomain controller searched: %1%nExisting computer account DN: %2%n%nSee KB5020276—Netjoin: Domain join hardening changes for more information. |
| Event log | SYSTEM |
| Event Source | Netjoin |
| Event ID | 4101 |
| Event Type | Error |
| Event Text | "During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name.%nAn attempt to re-use this account was prevented for security reasons.%n%nDomain controller searched: %1%nExisting computer account DN: %2%nThe error code was %3.%n%nSee KB5020276—Netjoin: Domain join hardening changes for more information." |
Debug logging is available by default (no need to enable any verbose logging) in C:\Windows\Debug\netsetup.log on all client computers.
Example of the debug logging generated when the reuse of the account is prevented for security reasons:
NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=Computer2,CN=Computers,DC=contoso,DC=com
NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=Computer2,CN=Computers,DC=contoso,DC=com
NetpCheckIfAccountShouldBeReused: Account was created through joinpriv and does not belong to this user. Blocking re-use of account.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac
NetpProvisionComputerAccount: LDAP creation failed: 0xaac
ldap_unbind status: 0x0
NetpJoinCreatePackagePart: status:0xaac.
NetpJoinDomainOnDs: Function exits with status of: 0xaac
NetpJoinDomainOnDs: status of disconnecting from '\\DC1.contoso.com': 0x0
NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'contoso.com' returned 0x0
NetpJoinDomainOnDs: NetpResetIDNEncoding on 'contoso.com': 0x0
NetpDoDomainJoin: status: 0xaac
support.microsoft.com
