Tip: To view the new or revised March 14, 2023 content, see the various [March 14, 2023 - Start] and [End - March 14, 2023] tags throughout the article.
Summary
Windows updates released on and after October 11, 2022, contain additional protections introduced by CVE-2022-38042. These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain unless:
-
The user attempting the operation is the creator of the existing account.
Or
-
The computer was created by a member of domain administrators.
Or
[March 14, 2023 - Start]
-
The owner of the computer account that is being reused is a member of the "Domain controller: Allow computer account re-use during domain join." Group Policy setting. This setting requires the installation of Windows updates released on or after March 14, 2023, on ALL member computers and domain controllers.
Updates released on and after March 14, 2023, will provide additional options for affected customers on Windows Server 2012 R2 and above and all supported clients. For more information, see the October 11, 2022 behavior and Take Action sections. [End - March 14, 2023]
Behavior before October 11, 2022
Before you install the October 11, 2022, or later cumulative updates, the client computer queries Active Directory for an existing account with the same name. This query occurs during domain join and computer account provisioning. If such an account exists, the client will automatically attempt to reuse it.
Note The reuse attempt will fail if the user who attempts the domain join operation does not have the appropriate write permissions. However, if the user has enough permissions the domain join will succeed.
There are two scenarios for domain join with respective default behaviors and flags as follows:
-
Domain Join (NetJoinDomain)
-
Defaults to account reuse (unless NETSETUP_NO_ACCT_REUSE flag is specified)
-
-
Account provisioning (NetProvisionComputerAccountNetCreateProvisioningPackage).
-
Defaults to NO reuse (unless NETSETUP_PROVISION_REUSE_ACCOUNT is specified.)
-
October 11, 2022 behavior
Once you install the October 11, 2022, or later Windows cumulative updates on a client computer, during domain join, the client will perform additional security checks before attempting to reuse an existing computer account. Algorithm:
-
Account reuse attempt will be permitted if the user attempting the operation is the creator of the existing account.
-
Account reuse attempt will be permitted if the account was created by a member of domain administrators.
These additional security checks are done before attempting to join the computer. If the checks are successful, the rest of the join operation is subject to Active Directory permissions as before.
This change does not affect new accounts.
Note After installing the October 11, 2022, or later Windows cumulative updates, domain join with computer account reuse might intentionally fail with the following error:
Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”
If so, the account is intentionally being protected by the new behavior.
Event ID 4101 will be triggered once the error above occurs and the issue will be logged in c:\windows\debug\netsetup.log. Please follow the steps below in Take Action to understand the failure and resolve the issue.
March 14, 2023 behavior
[March 14, 2023 - Start]
In the Windows updates released on or after March 14, 2023, we made a few changes to the security hardening. These changes include all the changes we made in October 11, 2022.
First, we expanded the scope of groups that are exempt from this hardening. In addition to Domain Administrators, Enterprise Administrators and Built-in Administrators groups are now exempt from the ownership check.
Second, we implemented a new Group Policy setting. Administrators can use it specify an allow list of trusted computer account owners. The computer account will bypass the security check if one of the following is true:
-
The account is owned by a user specified as a trusted owner in the “Domain controller: Allow computer account re-use during domain join” Group Policy.
-
The account is owned by a user who is a member of a group specified as a trusted owner in the “Domain controller: Allow computer account re-use during domain join” Group Policy.
To use this new Group Policy, the domain controller and the member computer must consistently have the March 14, 2023, or later update installed. Some of you might have particular accounts that you use in automated computer account creation. If those accounts are safe from abuse and you trust them to create computer accounts, you can exempt them. You will still be secure against the original vulnerability mitigated by the October 11, 2022, Windows updates.
We also plan to remove the original NetJoinLegacyAccountReuse registry setting in a future Windows update. This removal is tentatively scheduled for the update dated September 9, 2023. Release dates are subject to change.
Note If you deployed the NetJoinLegacyAccountReuse key on your clients and set it to value 1, you must now remove that key (or set it to 0) to benefit from the latest changes. [End - March 14, 2023]
Take Action
[March 14, 2023 - Start]
Configure the new allow list policy using the Group Policy on a domain controller. Remove any legacy client-side workarounds as soon as possible before September 2023. Then, do the following:
-
You must install the March 14, 2023, updates on all member computers and domain controllers.
-
In a new or existing group policy that applies to all domain controllers, configure the settings in the steps below.
-
Under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, double-click Domain controller: Allow computer account re-use during domain join.
-
Select Define this policy setting and <Edit Security…>.
-
Use the object picker to add users or groups of trusted computer account creators and owners to the Allow permission. (As a best practice, we highly recommend that you use groups for permissions.) Do not add the user account that performs the domain join.
Warning: Limit membership to the policy to trusted users and service accounts. Do not add authenticated users, everyone or other large groups to this policy. Instead, add specific trusted users and service accounts to groups and add those groups to the policy.
-
Wait for the Group Policy refresh interval or run gpupdate /force on all domain controllers.
-
Verify that the HKLM\System\CCS\Control\SAM – “ComputerAccountReuseAllowList” registry key is populated with the desired SDDL. Do not manually edit the registry.
-
Attempt to join a computer that has the March 14, 2023, or later update installed. Ensure that one of the accounts listed in the policy owns the computer account. Also ensure that its registry does not have the NetJoinLegacyAccountReuse key enabled (set to 1). If the domain join fails, check the c:\windows\debug\netsetup.log.
If you still need an alternate workaround, review computer account provisioning workflows and understand if changes are required. [End - March 14, 2023]
-
Perform the join operation using the same account that created the computer account in the target domain.
-
If the existing account is stale (unused), delete it before attempting to join the domain again.
-
Rename the computer and join using a different account that doesn’t already exist.
-
If the existing account is owned by a trusted security principal and an administrator wants to reuse the account, follow the guidance in the Take Action section to install the March 2023 Windows update and configure an allow list.
Important guidance for using the NetJoinLegacyAccountReuse registry key
Caution: If you choose to set this key to work around these protections, you will leave your environment vulnerable to CVE-2022-38042 unless your scenario is referenced below as appropriate. Do not use this method without confirmation that the Creator/Owner of the existing computer object is a secure and trusted security principal.
[March 14, 2023 - Start]
Because of the new Group Policy, you should no longer use the NetJoinLegacyAccountReuse registry key. We will preserve the key for the next six (6) months in case you need workarounds. If you cannot configure the new GPO in your scenario, we strongly encourage you to contact Microsoft Support.
|
Path |
HKLM\System\CurrentControlSet\Control\LSA |
|
Type |
REG_DWORD |
|
Name |
NetJoinLegacyAccountReuse |
|
Value |
1 Other values are ignored. |
Note Microsoft will remove support for the NetJoinLegacyAccountReuse registry setting in a future Windows update. This removal is tentatively scheduled for the update dated September 9, 2023. Release dates are subject to change. [End - March 14, 2023]
Nonsolutions
[March 14, 2023 - Start]
-
After you install March 14, 2023, or later updates on DCs and clients in the environment, do not use the NetJoinLegacyAccountReuse registry. Instead, follow the steps in Take Action to configure the new GPO. [End - March 14, 2023]
-
Do not add service accounts or provisioning accounts to the Domain Admins security group.
-
Do not manually edit the security descriptor on computer accounts in an attempt to redefine the ownership of such accounts. While editing the owner will enable the new checks to succeed, the computer account might retain the same potentially risky, unwanted permissions for the original owner unless explicitly reviewed and removed.
-
Do not add the NetJoinLegacyAccountReuse registry key to base OS images because the key should only be temporarily added and then removed directly after the domain join completes.
New event logs
|
Event log |
SYSTEM |
|
Event Source |
Netjoin |
|
Event ID |
4100 |
|
Event Type |
Informational |
|
Event Text |
"During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name. An attempt to re-use this account was permitted. Domain controller searched: <domain controller name>Existing computer account DN: <DN path of computer account>. See https://go.microsoft.com/fwlink/?linkid=2202145 for more information. |
|
Event log |
SYSTEM |
|
Event Source |
Netjoin |
|
Event ID |
4101 |
|
Event Type |
Error |
|
Event Text |
"During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name. An attempt to re-use this account was prevented for security reasons. Domain controller searched: Existing computer account DN: The error code was <error code>. See https://go.microsoft.com/fwlink/?linkid=2202145 for more information." |
Debug logging is available by default (no need to enable any verbose logging) in C:\Windows\Debug\netsetup.log on all client computers.
Example of the debug logging generated when the reuse of the account is prevented for security reasons:
NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=Computer2,CN=Computers,DC=contoso,DC=com
NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=Computer2,CN=Computers,DC=contoso,DC=com
NetpCheckIfAccountShouldBeReused: Account was created through joinpriv and does not belong to this user. Blocking re-use of account.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac
NetpProvisionComputerAccount: LDAP creation failed: 0xaac
ldap_unbind status: 0x0
NetpJoinCreatePackagePart: status:0xaac.
NetpJoinDomainOnDs: Function exits with status of: 0xaac
NetpJoinDomainOnDs: status of disconnecting from '\\DC1.contoso.com': 0x0
NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'contoso.com' returned 0x0
NetpJoinDomainOnDs: NetpResetIDNEncoding on 'contoso.com': 0x0
NetpDoDomainJoin: status: 0xaac
New events added in March 2023
[March 14, 2023 - Start]
This update adds four (4) new events in the SYSTEM log on the domain controller as follows:
|
Event Level |
Informational |
|
Event Id |
16995 |
|
Log |
SYSTEM |
|
Event Source |
Directory-Services-SAM |
|
Event Text |
The security account manager is using the specified security descriptor for validation of computer account re-use attempts during domain join. SDDL Value: <SDDL String> This allow list is configured through group policy in Active Directory. For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145. |
|
Event Level |
Error |
|
Event Id |
16996 |
|
Log |
SYSTEM |
|
Event Source |
Directory-Services-SAM |
|
Event Text |
The security descriptor that contains the computer account re-use allow list being used to validate client requests domain join is malformed. SDDL Value: <SDDL String> This allow list is configured through group policy in Active Directory. To correct this problem an administrator will need to update the policy to set this value to a valid security descriptor or disable it. For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145. |
|
Event Level |
Error |
|
Event Id |
16997 |
|
Log |
SYSTEM |
|
Event Source |
Directory-Services-SAM |
|
Event Text |
The security account manager found a computer account that appears to be orphaned and does not have an existing owner. Computer Account: S-1-5-xxx Computer Account Owner: S-1-5-xxx For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145. |
|
Event Level |
Warning |
|
Event Id |
16998 |
|
Log |
SYSTEM |
|
Event Source |
Directory-Services-SAM |
|
Event Text |
The security account manager rejected a client request to re-use a computer account during domain join. The computer account and the client identity did not meet the security validation checks. Client Account: S-1-5-xxx Computer Account: S-1-5-xxx Computer Account Owner: S-1-5-xxx Check the record data of this event for the NT Error code. For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145 |
If needed, the netsetup.log can give more information. See the example below from a working machine.
NetpReadAccountReuseModeFromAD: Searching '<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD,DC=contoso,DC=com>' for '(&(ObjectClass=ServiceConnectionPoint)(KeyWords=NetJoin*))'.
NetpReadAccountReuseModeFromAD: Got 0 Entries.
Returning NetStatus: 0, ADReuseMode: 0
IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2.
IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.
NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: 0, NetStatus: 0
NetpDsValidateComputerAccountReuseAttempt: returning Result: TRUE
NetpCheckIfAccountShouldBeReused: Active Directory Policy check returned NetStatus:0x0.
NetpCheckIfAccountShouldBeReused: Account re-use attempt was permitted by Active Directory Policy.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: TRUE, NetStatus:0x0
If only the client has the March 14, 2023 or later update, the Active Directory policy check will return 0x32 STATUS_NOT_SUPPORTED. Previous checks that were implemented in the November hotfixes will apply as shown below.
NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=LT-NIClientBA,CN=Computers,DC=contoso,DC=com
NetpGetADObjectOwnerAttributes: Ms-Ds-CreatorSid is empty.
NetpGetNCData: Reading NC data
NetpReadAccountReuseModeFromAD: Searching '<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD,DC=LT2k16dom,DC=com>' for '(&(ObjectClass=ServiceConnectionPoint)(KeyWords=NetJoin*))'.
NetpReadAccountReuseModeFromAD: Got 0 Entries.
Returning NetStatus: 0, ADReuseMode: 0
IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2.
IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.
NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: c00000bb, NetStatus: 32
NetpDsValidateComputerAccountReuseAttempt: returning Result: FALSE
NetpCheckIfAccountShouldBeReused: Active Directory Policy check returned NetStatus:0x32.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac
NetpProvisionComputerAccount: LDAP creation failed: 0xaac
[End - March 14, 2023]
