• Donate
    TheWindowsForum.com needs donations to stay online!
    Love TheWindowsForum.com? Then help keep it alive by sending a donation!

Microsoft: Windows domain joins may fail after October updates

WELCOME TO THEWINDOWSFORUM COMMUNITY!

Our community has more than 63,000 registered members, and we'd love to have you as a member. Join us and take part in our unbiased discussions among people of all different backgrounds about Windows OS, Software, Hardware and more.

AFFASocial

Ultimate Donator
VIP
Jun 26, 2021
740
482

Microsoft: Windows domain joins may fail after October updates​

  • October 28, 2022
  • 09:19 AM ET
  • 0

Windows

Microsoft says Windows domain join processes may fail with "0xaac (2732)" errors after applying this month's security updates.
The issue stems from hardening changes introduced when addressing the CVE-2022-38042 elevation of privilege vulnerability in the Active Directory Domain Services that would allow attackers to gain domain administrator privileges.
Because of these additional protections, domain join operations are intentionally prevented from re-using an existing computer account in the target domain.
Domain join operations will be blocked automatically after installing the October 2022 security updates on client computers due to additional security checks before re-using an existing computer account (the changes do not affect new accounts).
This happens unless the user attempting to join the domain does not have the appropriate write permissions (i.e., the user is the creator of the existing account or the computer was created by a domain administrator).
Microsoft explained that domain join processes might intentionally fail with "0xaac (2732): NERR_AccountReuseBlockedByPolicy" errors saying that "An account with the same name exists in Active Directory. Re-using the account was blocked by security policy."
"Affected scenarios include some domain join or re-imaging operations where a computer account was created or pre-staged by a different identity than the identity used to join or re-join the computer to the domain."
Because this known issue will only occur on managed Windows devices in enterprise environments, Redmond says it's "unlikely" that home users are also affected.
The list of affected platforms includes both client and server Windows versions:
  • Client: Windows 7 SP1 up to Windows 11, version 22H2
  • Server: Windows Server 2008 SP2 up to Windows Server 2022

Workaround for October 2022 hardening changes​

To work around these additional protections and security checks, Windows admins can:
  1. Perform the join operation using the same account that created the computer account in the target domain.
  2. If the existing account is stale (unused), delete it before attempting to join the domain again.
  3. Rename the computer and join using a different account that doesn't already exist.
Although not advised, admins can also re-use an existing account owned by a trusted security principal by (temporarily) setting a REG_DWORD registry key named "NetJoinLegacyAccountReuse" with a value of "1" at the individual client computer level and immediately removing it after the domain join process completes.
"If you choose to set this key to work around these protections, you will leave your environment vulnerable to CVE-2022-38042 unless your scenario is referenced below as appropriate," Microsoft warned.
"Do not use this method without confirmation that the Creator/Owner of the existing computer object is a secure and trusted security principal."
 
Holy crap, this last update hosed my Lenovo Y40-70 laptop, had to reload it. From what I could tell it's patched up hotfix, a patch to fix the patch, and so on and so on. Microsoft at one time had this protocol, problems would be identified at a stand up conference. A group would be handed the problem proposed and written patches/fixes and tested. These would be presented at the end of the week. Another board would review the entire processes and approve or send the project back for more work. The "update" would then be packaged and approved for "Update Tuesday". This really kept the mistakes being made. No doubt the current management has cut some serious corners and here's the result. Now maybe if they did a better job with the O/S in the first place.....
 
Last edited:
Back