Security | Vulnerability Scans and Assessment Windows Windows Server

Domain Join hardening: An account with the same name exists in Active Directory, re-using the account was blocked by a security policy

netjoinhardening

When attempting to add a pre-created PC to a domain or reuse an existing computer account, the following error below is encountered. An account with the same name exists in Active Directory. Re-using the account was blocked by the security policy. Windows updates released on and after October 11, 2022, thereby introducing additional protections (hardening) of your environment. This hardening mitigates the following “CVE-2022-38042 (Active Directory Domain Services Elevation of Privilege Vulnerability)”.

The NetJoinDomain function joins a computer to a workgroup or domain. Before proceeding to discuss this new behavior, let’s discuss how it was before. Kindly refer to some of these related guides: How to delete and restore objects using Active Directory Administrative Center, Active Directory Ports: Service and network port requirements for Windows, How to find disabled Active Directory User accounts, What are Active Directory Forest, Trees, Domain, and Sites, and how to Setup a Domain Controller.

Legacy behavior

Before the installation of the October 11, 2022 update, or later cumulative updates, the client computer queries Active Directory for an existing account with the same name. This query occurs during domain join and computer account provisioning. If such an account exists, the client will automatically attempt to reuse it.

Note: During this time, the reuse attempt will fail if the user who attempts the domain join operation does not have the appropriate write permissions. However, if the user has enough permissions the domain join will succeed.

There are two scenarios with respect to the default behaviors and flags thereby disallowing the account or provision reuse account when configured only.

Reason for this behavior

Microsoft released KB5020276 last month (October 2022), which modifies the domain join process and performs additional security checks before attempting to reuse existing computer accounts. These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain with these exemptions.

  • Account reuse attempts will be permitted if the user attempting the operation is the creator of the existing account.
  • Account reuse attempts will be permitted if the account was created by a member of domain administrators.

Therefore, computer account reuse is only permitted in the following scenarios above

New behavior

Once you install October 11, 2022, or subsequent cumulative updates on a client computer, during domain join, the client will perform additional security checks before attempting to reuse an existing computer account. If an account has already been pre-positioned (created) or joined to the domain previously, and you do not fall into the two criteria of account reuse. The following error below will be prompted.

domainjoinissue

These additional security checks are done before attempting to join the computer. If the checks are successful, the rest of the join operation is subject to Active Directory permissions as before. This change does not affect new accounts.

Note: Event ID 4101 will be triggered once the error above occurs and the issue will be logged in c:\windows\debug\netsetup.log. Please follow the steps below in taking Action to understand the failure and resolve the issue

Action Taken

Step 1: I am very okay with this hardening and will not be finding a way around it. I will simply proceed to Active Directory and have the computer account deleted. Then, I will proceed to have the device join the domain again.

Capture

Step 2: I will proceed to the device to have it joined to the domain again. Here are some related guides: How to join a computer to the Domain, The specified domain either does not exist or could not be contacted, and  The following error occurred attempting to rename the computer, Account already exists.

domainjoin

You will be prompted to enter your Domain Administrators Account.

JoinWin11

As you can see, the device has been successfully joined to the domain. Click on Ok.

Domainjonsuccessful

domainjoindevicerestart

Other Workarounds

Review computer account provisioning workflows and understand if changes are required.

  • Perform the join operation using the same account that created the computer account in the target domain.
  • If the existing account is stale (unused), delete it before attempting to join the domain again. This is exactly the action I took!
  • Rename the computer and join using a different account that doesn’t already exist. This is a possibility, but what if you really cannot use a different name? Then the next solution should work for you.
  • If the existing account is owned by a trusted security principal and an administrator wants to reuse the account, they might do so by temporarily setting the following registry key at the individual client computer level. Then immediately remove the registry setting after the join operation is complete. No restart is necessary for changes to the registry key to take effect.
PathHKLM\System\CurrentControlSet\Control\LSA
TypeREG_DWORD
NameNetJoinLegacyAccountReuse
Value1 “Other values are ignored”.

Note: Caution: If you choose to set this key to work around these protections, you will leave your environment vulnerable to CVE-2022-38042 unless your scenario is referenced below as appropriate. Do not use this method without confirmation that the Creator/Owner of the existing computer object is a secure and trusted security principal.

To set the key, launch the Registry Editor of the specific device in question, create the key, and modify the value above. You may have to create the key if it does not already exist. Please navigate to the Registry Path below

HKLM\System\CurrentControlSet\Control\LSA

As you can see, the DWORD Value “NetJoinLegacyAccountReuse” does not exist already. I will have to create it.

Modify the DWORD you have just created, and enter the value of 1 as discussed in the table above.

setthevalueto1

As recommended if you must use this approach, you will have to remove the Reh´gistry Key immediately after the domain join, else your environment will be vulnerable to the  CVE-2022-38042.

deleteafteruse

Note: In the future, Microsoft might remove support for the NetJoinLegacyAccountReuse registry setting and will have it replaced with an alternative method. When this happens, we may have to update this piece or add it to the comment session.

I hope you found this blog post helpful. Please let me know in the comment session if you have any questions.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x