After implementing KB5020276 March,16 I'm still not able to re-join the PC to the domain

Szymon Masłowski 10 Reputation points
2023-03-27T14:05:22.1666667+00:00

Hello,

I've proceeded step by step with all instructions regarding KB5020276:

  1. Install March,16 updates on all Domain Controller
  2. Install March,16 updates on the test workstation
  3. Set up new GPO setting as per documentation - settings taken by all DCs
  4. Ensured that NetJoinLegacyAccountReuse was not set in the registry

But still, I'm getting the error that accounts re-use is blocked by the security policy

I've also checked NetSetup.log file and the output is quite strange:

IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2.

IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.

NetpDsValidateComputerReuseAttempt: returning NtStatus: 0, NetStatus: 0

NetpDsValidateComputerReuseAttempt: fReuseAllowed: FALSE, NetStatus 0x0

NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac

I've tested the behavior in 3 cases:

  1. Use a non-admin account with delegated permissions to join the PC and modify computer objects in AD assigned directly in GPO as a Trusted Computer Account Owner
  2. User non-admin account which is a member of the group which is added as Trusted Computer Account Owner in GPO
  3. Domain Admin Member

In all 3 cases, I'm getting the error that the account cannot be re-used

After all, I've checked the alternative path - with NetJoinLegacyAccountReuse - only with this field set to 1 in the registry was I able to perform domain re-join using delegated account and Domain Admin account

Do you know what can be missing or wrongly configured in the KB5020276 March,16 implementations? I've checked everything several times and I fail every time.

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,639 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,726 questions
0 comments No comments
{count} votes

5 answers

Sort by: Most helpful
  1. Dave Patrick 425.7K Reputation points MVP
    2023-03-27T21:02:35.6066667+00:00

    In all 3 cases, I'm getting the error that the account cannot be re-used

    Do you have a screenshot?


  2. Dave Patrick 425.7K Reputation points MVP
    2023-03-28T12:54:46.7366667+00:00

    This may be expected behavior. Some workarounds are also mentioned here.

    https://support.microsoft.com/en-au/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8

    --please don't forget to upvote and Accept as answer if the reply is helpful--


  3. Joe Lee 0 Reputation points
    2023-05-05T20:35:14.9+00:00

    We're running into the same issue. Everything that should be in place seems to be. A GPO grants account reuse to a group, all the accounts that we use to create accounts are in said group, latest updates seem to be everywhere, but we still get the same error that ruse is blocked by policy.

    After really looking at the logs I think I've tracked it down in our case. In NetSetup.log I found the following line:

    NetpGetADObjectOwnerAttributes: Ms-Ds-CreatorSid is empty.

    We looked and found the property wasn't defined on the device (or a lot of the devices in AD). I imagine this then boils down to that without a creator to check against it can't verify that it's in the trusted groups, so it blocks re-use as intended. Now to try and find out why that property doesn't seem to exist for us.


  4. Andrew Marx 0 Reputation points
    2023-09-20T18:31:01.1833333+00:00

    We're running into the same issue. Everything's by the book according to KB5020276, but still getting the same error. The only thing in the instructions that's causing us to scratch our heads is:

    Use the object picker to add users or groups of trusted computer account creators and owners to the Allow permission. (As a best practice, we highly recommend that you use groups for permissions.) Do not add the user account that performs the domain join.

    Is that last bolded line just reiterating that we should use a group instead of adding users directly? Or is there some difference I'm missing between "the user account that performs the domain join" and the "trusted computer account creators and owners"?


  5. Ben Wilkinson 0 Reputation points
    2023-11-29T04:41:34.06+00:00

    Just a note on this one, since I struggled with it for a while.

    From the wording of the doc, it's hard to pickup... until you realize.

    • The owner of the computer account that is being reused is a member of the "Domain controller: Allow computer account re-use during domain join." Group Policy setting

    So, in summary, Whichever account is the owner on the computer you are trying to join should be in the group that is part of the policy.

    It's easy to miss... this is not the actual Service Account that is doing the domain join itself. Once the above is setup, ... only then do the ACLs on the OU or computer object come into play for the actual domain join.

    The two processes are totally separate, and I missed this at first.

    it's actually mentioned in a few places in the article, and I still missed it at first.

    • Ensure that one of the accounts listed in the policy "owns the computer account".
    0 comments No comments