Applies ToWindows Server 2008 Datacenter ESU Windows Server 2008 Standard ESU Windows Server 2008 Enterprise ESU Windows 7 Enterprise ESU Windows 7 Professional ESU Windows 7 Ultimate ESU Windows Server 2008 R2 Enterprise ESU Windows Server 2008 R2 Standard ESU Windows Server 2008 R2 Datacenter ESU Windows Embedded Standard 7 ESU Windows Embedded POSReady 7 ESU Windows Server 2012 Windows Embedded 8 Standard Windows 8.1 Windows RT 8.1 Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro Windows 10 Windows 10, version 1607, all editions Windows Server 2016, all editions Win 10 Ent LTSC 2019 Win 10 IoT Ent LTSC 2019 Windows 10 IoT Core LTSC Windows Server 2019 Windows 10 Enterprise Multi-Session, version 20H2 Windows 10 Enterprise and Education, version 20H2 Windows 10 IoT Enterprise, version 20H2 Windows 10 on Surface Hub Windows 10, version 21H1, all editions Windows 10, version 21H2, all editions Windows 11 version 21H2, all editions Windows 11 version 22H2, all editions Windows Server 2022

Updated 08/13/2024; see August 13, 2024 behavior

Summary

Windows updates released on and after October 11, 2022, contain additional protections introduced by CVE-2022-38042. These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain unless:

  • The user attempting the operation is the creator of the existing account.

    Or

  • The computer was created by a member of domain administrators.

    Or

  • The owner of the computer account that is being reused is a member of the "Domain controller: Allow computer account re-use during domain join." Group Policy setting. This setting requires the installation of Windows updates released on or after March 14, 2023, on ALL member computers and domain controllers.

Updates released on and after March 14, 2023 and September 12, 2023, will provide additional options for affected customers on Windows Server 2012 R2 and above and all supported clients. For more information, see the October 11, 2022 behavior and Take Action sections.

Note This article previously referenced a NetJoinLegacyAccountReuse registry key. As of August 13, 2024, this registry key and its references in this article were removed. 

Behavior before October 11, 2022

Before you install the October 11, 2022, or later cumulative updates, the client computer queries Active Directory for an existing account with the same name. This query occurs during domain join and computer account provisioning. If such an account exists, the client will automatically attempt to reuse it.

Note The reuse attempt will fail if the user who attempts the domain join operation does not have the appropriate write permissions. However, if the user has enough permissions the domain join will succeed.

There are two scenarios for domain join with respective default behaviors and flags as follows:

October 11, 2022 behavior 

Once you install the October 11, 2022, or later Windows cumulative updates on a client computer, during domain join, the client will perform additional security checks before attempting to reuse an existing computer account. Algorithm:

  1. Account reuse attempt will be permitted if the user attempting the operation is the creator of the existing account.

  2. Account reuse attempt will be permitted if the account was created by a member of domain administrators.

These additional security checks are done before attempting to join the computer. If the checks are successful, the rest of the join operation is subject to Active Directory permissions as before.

This change does not affect new accounts.

Note After installing the October 11, 2022, or later Windows cumulative updates, domain join with computer account reuse might intentionally fail with the following error:

Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”

If so, the account is intentionally being protected by the new behavior.

Event ID 4101 will be triggered once the error above occurs and the issue will be logged in c:\windows\debug\netsetup.log. Please follow the steps below in Take Action to understand the failure and resolve the issue.

March 14, 2023 behavior

In the Windows updates released on or after March 14, 2023, we made a few changes to the security hardening. These changes include all the changes we made in October 11, 2022.

First, we expanded the scope of groups that are exempt from this hardening. In addition to Domain Administrators, Enterprise Administrators and Built-in Administrators groups are now exempt from the ownership check.

Second, we implemented a new Group Policy setting. Administrators can use it to specify an allow list of trusted computer account owners. The computer account will bypass the security check if one of the following is true:

  • The account is owned by a user specified as a trusted owner in the “Domain controller: Allow computer account re-use during domain join” Group Policy.

  • The account is owned by a user who is a member of a group specified as a trusted owner in the “Domain controller: Allow computer account re-use during domain join” Group Policy.

To use this new Group Policy, the domain controller and the member computer must consistently have the March 14, 2023, or later update installed. Some of you might have particular accounts that you use in automated computer account creation. If those accounts are safe from abuse and you trust them to create computer accounts, you can exempt them. You will still be secure against the original vulnerability mitigated by the October 11, 2022, Windows updates.

September 12, 2023 behavior

In the Windows updates released on or after September 12, 2023, we made a few additional changes to the security hardening. These changes include all the changes we made in October 11, 2022, and the changes from March 14, 2023.

We addressed an issue where domain join using smart card authentication failed regardless of the policy setting. To fix this issue, we moved the remaining security checks back to the Domain Controller. Therefore, following the September 2023 security update, client machines make authenticated SAMRPC calls to the domain controller to perform security validation checks related to reusing computer accounts.

However, this may cause domain join to fail in environments where the following policy is set: Network access: Restrict clients allowed to make remote calls to SAM.  Please see the "Known Issues" section for information on how to resolve this issue.

August 13, 2024 behavior

In the Windows updates released on or after August 13, 2024, we addressed all known compatibility issues with the Allowlist policy. We also removed support for the NetJoinLegacyAccountReuse key. The hardening behavior will persist regardless of the key setting. The appropriate methods for adding exemptions are listed in the Take Action section below. 

Take Action

Configure the new allow list policy using the Group Policy on a domain controller and remove any legacy client-side workarounds. Then, do the following:

  1. You must install the September 12, 2023, or later updates on all member computers and domain controllers. 

  2. In a new or existing group policy that applies to all domain controllers, configure the settings in the steps below.

  3. Under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, double-click Domain controller: Allow computer account re-use during domain join.

  4. Select Define this policy setting and <Edit Security…>.

  5. Use the object picker to add users or groups of trusted computer account creators and owners to the Allow permission. (As a best practice, we highly recommend that you use groups for permissions.) Do not add the user account that performs the domain join.

    Limit membership to the policy to trusted users and service accounts. Do not add authenticated users, everyone or other large groups to this policy. Instead, add specific trusted users and service accounts to groups and add those groups to the policy.

  6. Wait for the Group Policy refresh interval or run gpupdate /force on all domain controllers.

  7. Verify that the HKLM\System\CCS\Control\SAM – “ComputerAccountReuseAllowList” registry key is populated with the desired SDDL. Do not manually edit the registry.

  8. Attempt to join a computer that has the September 12, 2023, or later updates installed. Ensure that one of the accounts listed in the policy owns the computer account. If the domain join fails, check the c:\windows\debug\netsetup.log.

If you still need an alternate workaround, review computer account provisioning workflows and understand if changes are required. 

  1. Perform the join operation using the same account that created the computer account in the target domain.

  2. If the existing account is stale (unused), delete it before attempting to join the domain again.

  3. Rename the computer and join using a different account that doesn’t already exist.

  4. If the existing account is owned by a trusted security principal and an administrator wants to reuse the account, follow the guidance in the Take Action section to install the September 2023 or later Windows updates and configure an allow list.

Nonsolutions

  • Do not add service accounts or provisioning accounts to the Domain Admins security group.

  • Do not manually edit the security descriptor on computer accounts in an attempt to redefine the ownership of such accounts, unless the previous owner account has been deleted. While editing the owner will enable the new checks to succeed, the computer account might retain the same potentially risky, unwanted permissions for the original owner unless explicitly reviewed and removed.

New event logs

Event log

SYSTEM  

Event Source

Netjoin

Event ID

4100

Event Type

Informational

Event Text

"During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name.

An attempt to re-use this account was permitted.

Domain controller searched: <domain controller name>Existing computer account DN: <DN path of computer account>. See https://go.microsoft.com/fwlink/?linkid=2202145 for more information.

Event log

SYSTEM

Event Source

Netjoin

Event ID

4101

Event Type

Error

Event Text

During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name. An attempt to re-use this account was prevented for security reasons. Domain controller searched:  Existing computer account DN: The error code was <error code>. See https://go.microsoft.com/fwlink/?linkid=2202145 for more information.

Debug logging is available by default (no need to enable any verbose logging) in C:\Windows\Debug\netsetup.log on all client computers.

Example of the debug logging generated when the reuse of the account is prevented for security reasons:

NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=Computer2,CN=Computers,DC=contoso,DC=com
NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=Computer2,CN=Computers,DC=contoso,DC=com
NetpCheckIfAccountShouldBeReused: Account was created through joinpriv and does not belong to this user. Blocking re-use of account.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac
NetpProvisionComputerAccount: LDAP creation failed: 0xaac
ldap_unbind status: 0x0
NetpJoinCreatePackagePart: status:0xaac.
NetpJoinDomainOnDs: Function exits with status of: 0xaac
NetpJoinDomainOnDs: status of disconnecting from '\\DC1.contoso.com': 0x0
NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'contoso.com' returned 0x0
NetpJoinDomainOnDs: NetpResetIDNEncoding on 'contoso.com': 0x0
NetpDoDomainJoin: status: 0xaac

New events added in March 2023 

This update adds four (4) new events in the SYSTEM log on the domain controller as follows:

Event Level

Informational

Event Id

16995

Log

SYSTEM

Event Source

Directory-Services-SAM

Event Text

The security account manager is using the specified security descriptor for validation of computer account re-use attempts during domain join.

SDDL Value: <SDDL String>

This allow list is configured through group policy in Active Directory.

For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Event Level

Error

Event Id

16996

Log

SYSTEM

Event Source

Directory-Services-SAM

Event Text

The security descriptor that contains the computer account re-use allow list being used to validate client requests domain join is malformed.

SDDL Value: <SDDL String>

This allow list is configured through group policy in Active Directory.

To correct this problem an administrator will need to update the policy to set this value to a valid security descriptor or disable it.

For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Event Level

Error

Event Id

16997

Log

SYSTEM

Event Source

Directory-Services-SAM

Event Text

The security account manager found a computer account that appears to be orphaned and does not have an existing owner.

Computer Account: S-1-5-xxx

Computer Account Owner: S-1-5-xxx

For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

Event Level

Warning

Event Id

16998

Log

SYSTEM

Event Source

Directory-Services-SAM

Event Text

The security account manager rejected a client request to re-use a computer account during domain join.

The computer account and the client identity did not meet the security validation checks.

Client Account: S-1-5-xxx

Computer Account: S-1-5-xxx

Computer Account Owner: S-1-5-xxx

Check the record data of this event for the NT Error code.

For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145.

If needed, the netsetup.log can give more information.

Known issues

Issue 1

After installing the September 12, 2023, or later updates, domain join may fail in environments where the following policy is set: Network access - Restrict clients allowed to make remote calls to SAM - Windows Security | Microsoft Learn. This is because client machines now make authenticated SAMRPC calls to the domain controller to perform security validation checks related to reusing computer accounts.      This is expected. To accommodate this change, administrators should either keep the domain controller’s SAMRPC policy at default settings OR explicitly include the user group performing the domain join in the SDDL settings to grant them permission. 

Example from a netsetup.log where this issue occurred:

09/18/2023 13:37:15:379 NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: c0000022, NetStatus: 5
09/18/2023 13:37:15:379 NetpDsValidateComputerAccountReuseAttempt: returning Result: FALSE
09/18/2023 13:37:15:379 NetpCheckIfAccountShouldBeReused: Active Directory Policy check with SAM_DOMAIN_JOIN_POLICY_LEVEL_V2 returned NetStatus:0x5.
09/18/2023 13:37:15:379 NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
09/18/2023 13:37:15:379 NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac 
09/18/2023 13:37:15:379 NetpProvisionComputerAccount: LDAP creation failed: 0xaac

Issue 2

If the computer owner account has been deleted, and an attempt to reuse the computer account occurs, Event 16997 will be logged in the System event log. If this occurs, it is okay to re-assign ownership to another account or group.

Issue 3

If only the client has the March 14, 2023, or later update, the Active Directory policy check will return 0x32 STATUS_NOT_SUPPORTED. Previous checks that were implemented in the November hotfixes will apply as shown below:

NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: c00000bb, NetStatus: 32 
NetpDsValidateComputerAccountReuseAttempt: returning Result: FALSE
NetpCheckIfAccountShouldBeReused: Active Directory Policy check returned NetStatus:0x32.
NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0
NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac 
NetpProvisionComputerAccount: LDAP creation failed: 0xaac

Need more help?

Want more options?

Explore subscription benefits, browse training courses, learn how to secure your device, and more.

Communities help you ask and answer questions, give feedback, and hear from experts with rich knowledge.