Use the object picker to add users or groups of trusted computer account creators and owners to the Allow permission. (As a best practice, we highly recommend that you use groups for permissions.) Do not add the user account that performs the domain join.

Aidan Mc Gee 0 Reputation points
2024-11-11T10:42:34.4566667+00:00

Hallo

I hope this finds you well

I am trying to resolve the issue i have with readding pcs to the domain

"Use the object picker to add users or groups of trusted computer account creators and owners to the Allow permission. (As a best practice, we highly recommend that you use groups for permissions.) Do not add the user account that performs the domain join."

and reference to https://support.microsoft.com/en-au/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8

we have always being able to reimage pcs and readd with same name

we did use the NetJoinLegacyAccountReuse

but that doesnt work any more

I have added the group for adding pcs to the domain(installers) to

  1. Under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, double-click Domain controller: Allow computer account re-use during domain join.
  2. Select Define this policy setting and <Edit Security…>.

but on reimage the pc will not add and will come up with error due to security etc

i am a bit confused as obviously when you reimage a pc, it wont have the gpo details in it until it rejoins the domain

i have deleted pc from ad and readded a new name , still no join

if i dont name and try and add without it being in ad , it will fail with exceeded number of pcs etc

am i missing something,

if i do a complete install of windows from a usb same thing happens

thanks for any advice on this

Aidan McGee

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,733 questions
Windows 11
Windows 11
A Microsoft operating system designed for productivity, creativity, and ease of use.
10,179 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Yanhong Liu 13,670 Reputation points Microsoft Vendor
    2024-11-12T07:03:26.3+00:00

    Hello

    Thank you for posting in Q&A forum.

    The issue you're facing is related to the domain join hardening changes introduced by Microsoft to improve security. You can check out the following steps to resolve this issue.

    Step 1: Verify and Configure Group Policy Settings

    Open Group Policy Management:

    • Press Windows + R to open the Run dialog box.

    • Type gpmc.msc and press Enter.

    Navigate to Security Options:

    • Go to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options.

    Modify Domain Controller: Allow computer account re-use during domain join:

    • Double-click on Domain controller: Allow computer account re-use during domain join.

    • Select Define this policy setting and click on Edit Security.

    • Add the group that has permissions to add PCs to the domain. Ensure this group has the Allow permission.

    Step 2: Ensure Appropriate Permissions

    Using Active Directory Users and Computers:

    • Open Active Directory Users and Computers.

    • Navigate to the OU where your computer accounts are stored.

    • Right-click on the OU and select Delegate Control.

    Delegate Control:

    • Follow the wizard to delegate control to the group or users responsible for adding computers to the domain.

    • Ensure the delegated permissions include Create and delete computer objects and read all properties.

    Step 3: Remove Legacy Registry Key

    Open Registry Editor:

    • Press Windows + R to open the Run dialog box.

    • Type regedit and press Enter.

    Navigate to the Key:

    • Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SAM.

    • Look for the NetJoinLegacyAccountReuse key and delete it if it exists.

    Step 4: Verify System Updates

    Check for Updates:

    • Ensure that all domain controllers and client machines are up to date with the latest Windows updates.

    Update Policy:

    • Run gpupdate /force on both the domain controller and client machines to ensure that all policies are applied correctly.

    Step 5: Re-add Computer to Domain

    Rename the Computer (if necessary):

    • If the computer account already exists in AD, consider renaming the computer before re-adding it to the domain.

    Join the Domain:

    • Use the following steps to join the computer to the domain:

    • Open System Properties.

    • Click Change to rename the computer or change its domain.

    • Enter the domain name and credentials of a user with permissions to join the domain.

    Check Event Logs:

    • After attempting to join the domain, check the Event Viewer for any relevant logs that might provide additional information about the error.

    Step 6: Test and Validate

    Reimage and Test:

    • After making the changes, reimage a test PC and attempt to join it to the domain.

    • Monitor the process to ensure that it completes successfully without any errors.

    By following these detailed steps, you should be able to resolve the issues with re-adding PCs to the domain

    Best regards

    Yanhong

    =====================================

    If the answer is helpful, please click "Accept answer" and upvote it


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.