search cancel

Domain joins fail after installing October 2022 windows updates

book

Article ID: 254267

calendar_today

Updated On:

Products

Ghost Solution Suite Deployment Solution IT Management Suite

Issue/Introduction

Since Microsoft KB5020276 was released, customers are experiencing unexpected behaviors on the domain join portion of their imaging process. The NetSetup log file in C:\Windows\debug on the local machine shows the following entries:

11/08/2022 14:34:12:378 IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2. 
11/08/2022 14:34:12:378 IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.
11/08/2022 14:34:12:394 NetpCheckIfAccountShouldBeReused: Failed to NetpLsaLookupSidFromName. NetStatus: 8ac
11/08/2022 14:34:12:394 NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x8ac
11/08/2022 14:34:12:394 NetpModifyComputerObjectInDs: Failed to check if account can be re-used. Error: 0x8ac 
11/08/2022 14:34:12:398 NetpManageMachineAccountWithSid: The computer account already exists in Active Directory.Re-using the account was blocked by security policy.

Cause

Microsoft updated the Domain Join security with KB5020276.  From the KB:

New behavior 

Once you install the October 11, 2022, or later Windows cumulative updates on a client computer, during domain join, the client will perform additional security checks before attempting to reuse an existing computer account.

Algorithm:

  1. Account reuse attempt will be permitted if the user attempting the operation is the creator of the existing account.
  2. Account reuse attempt will be permitted if the account was created by a member of domain administrators.

These additional security checks are done before attempting to join the computer. If the checks are successful, the rest of the join operation is subject to Active Directory permissions as before.

This change does not affect new accounts.

Note After installing the October 11, 2022, or later Windows cumulative updates, domain join with computer account reuse might intentionally fail with the following error:

Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”

If so, the account is intentionally being protected by the new behavior.

Event ID 4101 will be triggered once the error above occurs and the issue will be logged in c:\windows\debug\netsetup.log. Please follow the steps below in Take Action to understand the failure and resolve the issue.

Resolution

Microsoft gives Admins the following 4 suggestions to resolve this issue:

Take Action

Review computer account provisioning workflows and understand if changes are required.

  1. Perform the join operation using the same account that created the computer account in the target domain.
  2. If the existing account is stale (unused), delete it before attempting to join the domain again.
  3. Rename the computer and join using a different account that doesn’t already exist.
  4. If the existing account is owned by a trusted security principal and an administrator wants to reuse the account, they might do so by temporarily setting the following registry key at the individual client computer level. Then immediately remove the registry setting after the join operation is complete. No restart is necessary for changes to the registry key to take effect.