Monday, May 1, 2023

An account with the same name exist in Active Directory. Re-using the account was blocked by security policy.

I recently encountered when Microsoft Teams Room on Windows system went for re-imaging due to local hardware failure the system couldn't rejoined to domain even if you reset or re-create the computer objects.


The issue caused because of KB5020276 were Microsoft has strengthened their security measures for re-using a domain's computer object. The client computer queries Active Directory for an existing account with the same name. This query occurs during domain join and computer account provisioning. If such an account exists, the client will automatically attempt to reuse it. The reuse attempt will fail if the user who attempts the domain join operation does not have the appropriate write permissions.




Solution -


Microsoft released an update for the above KB in March-2023, with a couple of updates to fix this hardening issue. They expanded the scope of groups Domain Administrators, Enterprise Administrators, and Built-in Administrators are exempt from this hardening. 

You can also configured trusted computer account owners to bypass the security check.

  • The account is owned by a user specified as a trusted owner in the “Domain controller: Allow computer account re-use during domain join” Group Policy.

  • The account is owned by a user who is a member of a group specified as a trusted owner in the “Domain controller: Allow computer account re-use during domain join” Group Policy.

  • Configure the policy under Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options, double-click Domain controller: Allow computer account re-use during domain join.

To ensure optimal performance, it's recommended that your Windows PC and domain controllers are updated with either the March-2023 update or the latest available update.


An alternate workaround (see below) is available, but please note that this option will no longer be available after the September 9,2023 updates. To address this issue, it is highly recommended to either create a GPO policy that allows custom AD accounts to be trusted or to have DA access.


Reg add HKLM\System\CurrentControlSet\Control\Lsa /v NetJoinLegacyAccountReuse /t REG_DWORD /d 1 /f




Once the system is joined to the domain using the NetJoinLegacyAccountReuse method, reverting the change is highly recommended.


Reg delete HKLM\System\CurrentControlSet\Control\Lsa /v NetJoinLegacyAccountReuse /f



No comments:

Post a Comment