Share via

Active Directory - Joining With Preexisting Computer Object (Post KB5020276)

Christian Farley 1 Reputation point
2022-10-27T13:53:23.617+00:00

With KB5020276, our team members are no longer able to join objects to the domain that were created by privileged team members.

We have two groups: 'Admins' and 'Technicians', our Admins have permission to create Computer objects, and will create preexisting computer objects in the proper OU's, adding the Technicians group to the 'User or Group' that 'can join this computer to a domain'. When imaging, our Technicians will join the computer to the domain. However, with the KB5020276 update, now only the creator of the OU is currently able to join the computer.

Is there an additional setting necessary so our techs can join computers to the domain?

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,244 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Daisy Zhou 21,361 Reputation points Microsoft Vendor
    2022-11-03T06:11:02.59+00:00

    Hello ChristianFarley-6650,

    Thank you for posting in our Q&A forum.

    From the following link, it seems you can only join the machines domain with one of the following methods.

    The user attempting the operation is the creator of the existing account.

    OR

    The computer was created by a member of domain administrators.

    KB5020276—Netjoin: Domain join hardening changes
    https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8

    Hope the information above is helpful.

    Best Regards,
    Daisy Zhou

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.