KB5020276—Netjoin: Domain join hardening changes

Summary

Windows updates released on and after October 11, 2022, contain additional protections introduced by CVE-2022-38042. These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain unless:

The user attempting the operation is the creator of the existing account.

Or
The computer was created by a member of domain administrators.

Or

The owner of the computer account that is being reused is a member of the "Domain controller: Allow computer account re-use during domain join." Group Policy setting. This setting requires the installation of Windows updates released on or after March 14, 2023, on ALL member computers and domain controllers.

Updates released on and after March 14, 2023 and September 12, 2023, will provide additional options for affected customers on Windows Server 2012 R2 and above and all supported clients. For more information, see the October 11, 2022 behavior and Take Action sections.

Behavior before October 11, 2022

Before you install the October 11, 2022, or later cumulative updates, the client computer queries Active Directory for an existing account with the same name. This query occurs during domain join and computer account provisioning. If such an account exists, the client will automatically attempt to reuse it.

Note The reuse attempt will fail if the user who attempts the domain join operation does not have the appropriate write permissions. However, if the user has enough permissions the domain join will succeed.

There are two scenarios for domain join with respective default behaviors and flags as follows:

Domain Join (NetJoinDomain)
- Defaults to account reuse (unless NETSETUP_NO_ACCT_REUSE flag is specified)
Account provisioning (NetProvisionComputerAccountNetCreateProvisioningPackage).
- Defaults to NO reuse (unless NETSETUP_PROVISION_REUSE_ACCOUNT is specified.)

October 11, 2022 behavior

Once you install the October 11, 2022, or later Windows cumulative updates on a client computer, during domain join, the client will perform additional security checks before attempting to reuse an existing computer account. Algorithm:

Account reuse attempt will be permitted if the user attempting the operation is the creator of the existing account.
Account reuse attempt will be permitted if the account was created by a member of domain administrators.

These additional security checks are done before attempting to join the computer. If the checks are successful, the rest of the join operation is subject to Active Directory permissions as before.

This change does not affect new accounts.

Note After installing the October 11, 2022, or later Windows cumulative updates, domain join with computer account reuse might intentionally fail with the following error:

Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”

If so, the account is intentionally being protected by the new behavior.

Event ID 4101 will be triggered once the error above occurs and the issue will be logged in c:\windows\debug\netsetup.log. Please follow the steps below in Take Action to understand the failure and resolve the issue.

March 14, 2023 behavior

In the Windows updates released on or after March 14, 2023, we made a few changes to the security hardening. These changes include all the changes we made in October 11, 2022.

First, we expanded the scope of groups that are exempt from this hardening. In addition to Domain Administrators, Enterprise Administrators and Built-in Administrators groups are now exempt from the ownership check.

Second, we implemented a new Group Policy setting. Administrators can use it to specify an allow list of trusted computer account owners. The computer account will bypass the security check if one of the following is true:

The account is owned by a user specified as a trusted owner in the “Domain controller: Allow computer account re-use during domain join” Group Policy.
The account is owned by a user who is a member of a group specified as a trusted owner in the “Domain controller: Allow computer account re-use during domain join” Group Policy.

To use this new Group Policy, the domain controller and the member computer must consistently have the March 14, 2023, or later update installed. Some of you might have particular accounts that you use in automated computer account creation. If those accounts are safe from abuse and you trust them to create computer accounts, you can exempt them. You will still be secure against the original vulnerability mitigated by the October 11, 2022, Windows updates.

^{September 12, 2023 behavior}

In the Windows updates released on or after September 12, 2023, we made a few additional changes to the security hardening. These changes include all the changes we made in October 11, 2022, and the changes from March 14, 2023.

We addressed an issue where domain join using smart card authentication failed regardless of the policy setting. To fix this issue, we moved the remaining security checks back to the Domain Controller. Therefore, following the September 2023 security update, client machines make authenticated SAMRPC calls to the domain controller to perform security validation checks related to reusing computer accounts.

However, this may cause domain join to fail in environments where the following policy is set: Network access: Restrict clients allowed to make remote calls to SAM. Please see the "Known Issues" section for information on how to resolve this issue.

We also plan to remove the original NetJoinLegacyAccountReuse registry setting in a future Windows update. [January 2024 - Start] This removal is tentatively scheduled for the update dated August 13, 2024. Release dates are subject to change. [End - January 2024]

Note If you deployed the NetJoinLegacyAccountReuse key on your clients and set it to value 1, you must now remove that key (or set it to 0) to benefit from the latest changes.

Take Action

Configure the new allow list policy using the Group Policy on a domain controller and remove any legacy client-side workarounds. Then, do the following:

You must install the September 12, 2023 or later updates on all member computers and domain controllers.
In a new or existing group policy that applies to all domain controllers, configure the settings in the steps below.
Under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, double-click Domain controller: Allow computer account re-use during domain join.
Select Define this policy setting and <Edit Security…>.
Use the object picker to add users or groups of trusted computer account creators and owners to the Allow permission. (As a best practice, we highly recommend that you use groups for permissions.) Do not add the user account that performs the domain join.

Warning: Limit membership to the policy to trusted users and service accounts. Do not add authenticated users, everyone or other large groups to this policy. Instead, add specific trusted users and service accounts to groups and add those groups to the policy.
Wait for the Group Policy refresh interval or run gpupdate /force on all domain controllers.
Verify that the HKLM\System\CCS\Control\SAM – “ComputerAccountReuseAllowList” registry key is populated with the desired SDDL. Do not manually edit the registry.
Attempt to join a computer that has the September 12, 2023, or later updates installed. Ensure that one of the accounts listed in the policy owns the computer account. Also ensure that its registry does not have the NetJoinLegacyAccountReuse key enabled (set to 1). If the domain join fails, check the c:\windows\debug\netsetup.log.

If you still need an alternate workaround, review computer account provisioning workflows and understand if changes are required.

Perform the join operation using the same account that created the computer account in the target domain.
If the existing account is stale (unused), delete it before attempting to join the domain again.
Rename the computer and join using a different account that doesn’t already exist.
If the existing account is owned by a trusted security principal and an administrator wants to reuse the account, follow the guidance in the Take Action section to install the September 2023 or later Windows updates and configure an allow list.

Important guidance for using the NetJoinLegacyAccountReuse registry key

Caution: If you choose to set this key to work around these protections, you will leave your environment vulnerable to CVE-2022-38042 unless your scenario is referenced below as appropriate. Do not use this method without confirmation that the Creator/Owner of the existing computer object is a secure and trusted security principal.

Because of the new Group Policy, you should no longer use the NetJoinLegacyAccountReuse registry key. [January 2024 - Start] We will preserve the key for the next several months in case you need workarounds. [End - January 2024] If you cannot configure the new GPO in your scenario, we strongly encourage you to contact Microsoft Support.

Path	HKLM\System\CurrentControlSet\Control\LSA
Type	REG_DWORD
Name	NetJoinLegacyAccountReuse
Value	1 Other values are ignored.

Note Microsoft will remove support for the NetJoinLegacyAccountReuse registry setting in a future Windows update. [January 2024 - Start] This removal is tentatively scheduled for the update dated August 13, 2024. Release dates are subject to change. [End - January 2024]

Nonsolutions

After you install September 12, 2023, or later updates on DCs and clients in the environment, do not use the NetJoinLegacyAccountReuse registry. Instead, follow the steps in Take Action to configure the new GPO.
Do not add service accounts or provisioning accounts to the Domain Admins security group.
Do not manually edit the security descriptor on computer accounts in an attempt to redefine the ownership of such accounts, unless the previous owner account has been deleted. While editing the owner will enable the new checks to succeed, the computer account might retain the same potentially risky, unwanted permissions for the original owner unless explicitly reviewed and removed.
Do not add the NetJoinLegacyAccountReuse registry key to base OS images because the key should only be temporarily added and then removed directly after the domain join completes.

New event logs

Event log	SYSTEM
Event Source	Netjoin
Event ID	4100
Event Type	Informational
Event Text	"During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name. An attempt to re-use this account was permitted. Domain controller searched: <domain controller name>Existing computer account DN: <DN path of computer account>. See https://go.microsoft.com/fwlink/?linkid=2202145 for more information.

Event log	SYSTEM
Event Source	Netjoin
Event ID	4101
Event Type	Error
Event Text	During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name. An attempt to re-use this account was prevented for security reasons. Domain controller searched: Existing computer account DN: The error code was <error code>. See https://go.microsoft.com/fwlink/?linkid=2202145 for more information.

Debug logging is available by default (no need to enable any verbose logging) in C:\Windows\Debug\netsetup.log on all client computers.

Example of the debug logging generated when the reuse of the account is prevented for security reasons:

NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=Computer2,CN=Computers,DC=contoso,DC=com
NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=Computer2,CN=Computers,DC=contoso,DC=com
NetpCheckIfAccountShouldBeReused: Account was created through joinpriv and does not belong to this user. Blocking re-use of account.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac
NetpProvisionComputerAccount: LDAP creation failed: 0xaac
ldap_unbind status: 0x0
NetpJoinCreatePackagePart: status:0xaac.
NetpJoinDomainOnDs: Function exits with status of: 0xaac
NetpJoinDomainOnDs: status of disconnecting from '\\DC1.contoso.com': 0x0
NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'contoso.com' returned 0x0
NetpJoinDomainOnDs: NetpResetIDNEncoding on 'contoso.com': 0x0
NetpDoDomainJoin: status: 0xaac

New events added in March 2023

This update adds four (4) new events in the SYSTEM log on the domain controller as follows:

Event Level	Informational
Event Id	16995
Log	SYSTEM
Event Source	Directory-Services-SAM
Event Text	The security account manager is using the specified security descriptor for validation of computer account re-use attempts during domain join. SDDL Value: <SDDL String> This allow list is configured through group policy in Active Directory. For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Event Level	Error
Event Id	16996
Log	SYSTEM
Event Source	Directory-Services-SAM
Event Text	The security descriptor that contains the computer account re-use allow list being used to validate client requests domain join is malformed. SDDL Value: <SDDL String> This allow list is configured through group policy in Active Directory. To correct this problem an administrator will need to update the policy to set this value to a valid security descriptor or disable it. For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Event Level	Error
Event Id	16997
Log	SYSTEM
Event Source	Directory-Services-SAM
Event Text	The security account manager found a computer account that appears to be orphaned and does not have an existing owner. Computer Account: S-1-5-xxx Computer Account Owner: S-1-5-xxx For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Event Level	Warning
Event Id	16998
Log	SYSTEM
Event Source	Directory-Services-SAM
Event Text	The security account manager rejected a client request to re-use a computer account during domain join. The computer account and the client identity did not meet the security validation checks. Client Account: S-1-5-xxx Computer Account: S-1-5-xxx Computer Account Owner: S-1-5-xxx Check the record data of this event for the NT Error code. For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

If needed, the netsetup.log can give more information. See the example below from a working machine.

NetpReadAccountReuseModeFromAD: Searching '<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD,DC=contoso,DC=com>' for '(&(ObjectClass=ServiceConnectionPoint)(KeyWords=NetJoin*))'.
NetpReadAccountReuseModeFromAD: Got 0 Entries.
Returning NetStatus: 0, ADReuseMode: 0
IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2. 
IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.
NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: 0, NetStatus: 0
NetpDsValidateComputerAccountReuseAttempt: returning Result: TRUE
NetpCheckIfAccountShouldBeReused: Active Directory Policy check returned NetStatus:0x0.
NetpCheckIfAccountShouldBeReused: Account re-use attempt was permitted by Active Directory Policy.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: TRUE, NetStatus:0x0

Known issues

Issue 1

After installing the September 12, 2023 or later updates, domain join may fail in environments where the following policy is set: Network access - Restrict clients allowed to make remote calls to SAM - Windows Security | Microsoft Learn. This is because client machines now make authenticated SAMRPC calls to the domain controller to perform security validation checks related to reusing computer accounts.

This is expected. To accommodate this change, administrators should either keep the domain controller’s SAMRPC policy at default settings OR explicitly include the user group performing the domain join in the SDDL settings to grant them permission.

Example from a netsetup.log where this issue occurred:

09/18/2023 13:37:15:379 NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: c0000022, NetStatus: 5
09/18/2023 13:37:15:379 NetpDsValidateComputerAccountReuseAttempt: returning Result: FALSE
09/18/2023 13:37:15:379 NetpCheckIfAccountShouldBeReused: Active Directory Policy check with SAM_DOMAIN_JOIN_POLICY_LEVEL_V2 returned NetStatus:0x5.
09/18/2023 13:37:15:379 NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
09/18/2023 13:37:15:379 NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac 
09/18/2023 13:37:15:379 NetpProvisionComputerAccount: LDAP creation failed: 0xaac

Issue 2

If the computer owner account has been deleted, and an attempt to reuse the computer account occurs, Event 16997 will be logged in the System event log. If this occurs, it is okay to re-assign ownership to another account or group.

Issue 3

If only the client has the March 14, 2023 or later update, the Active Directory policy check will return 0x32 STATUS_NOT_SUPPORTED. Previous checks that were implemented in the November hotfixes will apply as shown below:

NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=LT-NIClientBA,CN=Computers,DC=contoso,DC=com
NetpGetADObjectOwnerAttributes: Ms-Ds-CreatorSid is empty.
NetpGetNCData: Reading NC data
NetpReadAccountReuseModeFromAD: Searching '<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD,DC=LT2k16dom,DC=com>' for '(&(ObjectClass=ServiceConnectionPoint)(KeyWords=NetJoin*))'.
NetpReadAccountReuseModeFromAD: Got 0 Entries.
Returning NetStatus: 0, ADReuseMode: 0
IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2. 
IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.
NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: c00000bb, NetStatus: 32 
NetpDsValidateComputerAccountReuseAttempt: returning Result: FALSE
NetpCheckIfAccountShouldBeReused: Active Directory Policy check returned NetStatus:0x32.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac 
NetpProvisionComputerAccount: LDAP creation failed: 0xaac