In all 3 cases, I'm getting the error that the account cannot be re-used
Do you have a screenshot?
This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
Hello,
I've proceeded step by step with all instructions regarding KB5020276:
But still, I'm getting the error that accounts re-use is blocked by the security policy
I've also checked NetSetup.log file and the output is quite strange:
IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2.
IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.
NetpDsValidateComputerReuseAttempt: returning NtStatus: 0, NetStatus: 0
NetpDsValidateComputerReuseAttempt: fReuseAllowed: FALSE, NetStatus 0x0
NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac
I've tested the behavior in 3 cases:
In all 3 cases, I'm getting the error that the account cannot be re-used
After all, I've checked the alternative path - with NetJoinLegacyAccountReuse - only with this field set to 1 in the registry was I able to perform domain re-join using delegated account and Domain Admin account
Do you know what can be missing or wrongly configured in the KB5020276 March,16 implementations? I've checked everything several times and I fail every time.
In all 3 cases, I'm getting the error that the account cannot be re-used
Do you have a screenshot?
This may be expected behavior. Some workarounds are also mentioned here.
--please don't forget to upvote
and Accept as answer
if the reply is helpful--
We're running into the same issue. Everything that should be in place seems to be. A GPO grants account reuse to a group, all the accounts that we use to create accounts are in said group, latest updates seem to be everywhere, but we still get the same error that ruse is blocked by policy.
After really looking at the logs I think I've tracked it down in our case. In NetSetup.log I found the following line:
NetpGetADObjectOwnerAttributes: Ms-Ds-CreatorSid is empty.
We looked and found the property wasn't defined on the device (or a lot of the devices in AD). I imagine this then boils down to that without a creator to check against it can't verify that it's in the trusted groups, so it blocks re-use as intended. Now to try and find out why that property doesn't seem to exist for us.
We're running into the same issue. Everything's by the book according to KB5020276, but still getting the same error. The only thing in the instructions that's causing us to scratch our heads is:
Use the object picker to add users or groups of trusted computer account creators and owners to the Allow permission. (As a best practice, we highly recommend that you use groups for permissions.) Do not add the user account that performs the domain join.
Is that last bolded line just reiterating that we should use a group instead of adding users directly? Or is there some difference I'm missing between "the user account that performs the domain join" and the "trusted computer account creators and owners"?
Just a note on this one, since I struggled with it for a while.
From the wording of the doc, it's hard to pickup... until you realize.
So, in summary, Whichever account is the owner on the computer you are trying to join should be in the group that is part of the policy.
It's easy to miss... this is not the actual Service Account that is doing the domain join itself. Once the above is setup, ... only then do the ACLs on the OU or computer object come into play for the actual domain join.
The two processes are totally separate, and I missed this at first.
it's actually mentioned in a few places in the article, and I still missed it at first.