Microsoft: Windows domain joins may fail after October updates

Microsoft

Microsoft says Windows domain join processes may fail with “0xaac (2732)” errors after applying this month’s security updates.

The issue stems from hardening changes introduced when addressing the CVE-2022-38042 elevation of privilege vulnerability in the Active Directory Domain Services that would allow attackers to gain domain administrator privileges.

Because of these additional protections, domain join operations are intentionally prevented from re-using an existing computer account in the target domain.

Domain join operations will be blocked automatically after installing the October 2022 security updates on client computers due to additional security checks before re-using an existing computer account (the changes do not affect new accounts).

This happens unless the user attempting to join the domain does not have the appropriate write permissions (i.e., the user is the creator of the existing account or the computer was created by a domain administrator).

Microsoft explained that domain join processes might intentionally fail with “0xaac (2732): NERR_AccountReuseBlockedByPolicy” errors saying that “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”

“Affected scenarios include some domain join or re-imaging operations where a computer account was created or pre-staged by a different identity than the identity used to join or re-join the computer to the domain.”

Because this known issue will only occur on managed Windows devices in enterprise environments, Redmond says it’s “unlikely” that home users are also affected.

The list of affected platforms includes both client and server Windows versions:

Client: Windows 7 SP1 up to Windows 11, version 22H2
Server: Windows Server 2008 SP2 up to Windows Server 2022

To work around these additional protections and security checks, Windows admins can:

Perform the join operation using the same account that created the computer account in the target domain.
If the existing account is stale (unused), delete it before attempting to join the domain again.
Rename the computer and join using a different account that doesn’t already exist.

Although not advised, admins can also re-use an existing account owned by a trusted security principal by (temporarily) setting a REG_DWORD registry key named “NetJoinLegacyAccountReuse” with a value of “1” at the individual client computer level and immediately removing it after the domain join process completes.

“If you choose to set this key to work around these protections, you will leave your environment vulnerable to CVE-2022-38042 unless your scenario is referenced below as appropriate,” Microsoft warned.

“Do not use this method without confirmation that the Creator/Owner of the existing computer object is a secure and trusted security principal.”

%d bloggers like this: