Domain Join hardening: An account with the same name exists in Active Directory, re-using the account was blocked by a security policy
Domain Join hardening
Hello All,
Hope this post finds you in good health and spirit.
This post is regarding “An account with the same name exists in Active Directory, re-using the account was blocked by a security policy.”
Updates for Windows that are issued on or after October 11, 2022, include new security measures came about by CVE-2022-38042. These protections prevent the use of pre-existing computer accounts in the target domain during domain join activities unless:
- The user attempting the operation is the creator of the existing account.
- The computer was created by a member of domain administrators.
Error and Cause
After installing the October 11, 2022, or later Windows cumulative updates, domain join with computer account reuse might intentionally fail with the following error:
Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”
An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.
Resolution
Evaluate the computer account provisioning procedures to see if any changes are necessary.
- Use the same account that set up the computer account in the target domain to perform the join operation.
- Before attempting to rejoin the domain once again, remove the existing account if it is stale (unused).
- Join with a different account that doesn’t already exist and rename the computer.
Workaround that is tested and working fine on number of sever objects.
The following registry entry can be temporarily set at the level of each client machine if the current account is controlled by a trusted security principal and the administrator wants to reuse the account.
Once the join process is finished, delete the registry setting right away. The registry key may be changed without attempting to restart the computer.
Path | HKLM\System\CurrentControlSet\Control\LSA |
Type | REG_DWORD |
Name | NetJoinLegacyAccountReuse |
Value | 1 Other values are ignored. |
Launch the Registry Editor of the appropriate device, create the key, then change the value above to set the key. If the key does not already exist, you might need to generate it. Please access the Registry Path shown below.
HKLM\System\CurrentControlSet\Control\LSA
As you can see, “NetJoinLegacyAccountReuse” is a DWORD Value that does not yet exist. It will have to be made by myself.
Change the DWORD you just generated and add the value 1 there.
There is no need to restart the system, just try to join the system with domain, this workaround will fix your domain joining issue.
Kerberos Authentication failure after installing the November 2022/OOB updates?
Important guidelines for using this workaround.
Attention: Unless your case is specifically mentioned below as being suitable, if you opt to set this key to bypass these protections, you will leave your environment exposed to CVE-2022-38042. Without verification that the Creator/Owner of the current computer object is a safe and reliable security principle, do not use this approach.
So, that’s all in this blog. I will meet you soon with next stuff. Have a nice day!!!
Guys please don’t forget to like and share the post. Also join our WindowsTechno Community and where you can post your queries/doubts and our experts will address them.
You can also share the feedback on below windows techno email id.
If you have any questions feel free to contact us on admin@windowstechno.com also follow us on facebook@windowstechno to get updates about new blog posts.