Microsoft, Windows regularly releases security updates and improvements for its operating system. KB5020276 The update includes some security improvements during the netjoin process.
KB5020276 update includes security improvements to the netjoin process for the Windows operating system. Netjoin is the process of joining a computer to a domain, allowing users to access network resources and be subject to domain policies
Table of Contents
Microsoft KB5020276 Netjoin Domain join hardening changes – Cengiz YILMAZ
This update enforces stricter security measures during the domain join process. This is designed to keep computers secure and protected from unauthorized access. The following domain join security changes are made with the KB5020276 update:
Strong password requirement: The KB5020276 update enables stronger hashing algorithms to be used for passwords used during the domain join process. This makes passwords more secure and more resistant to attacks.
Updated security policies: The update enforces stricter security policies for the domain join operation. This ensures that computers meet certain security requirements when joining the domain and makes it harder for vulnerabilities to be exploited.
Account lockout measures: The KB5020276 update strengthens account lockout measures during the domain join process. This is designed to detect and block potential attacks and login attempts.
What is CVE-2022-38042?
"Active Directory The vulnerability, defined as “Domain Services Elevation of Privilege Vulnerability”, allows privilege elevation on AD. For this reason, Microsoft has tightened up domain rejoin operations. Let’s write this information down and continue on our way.
Windows updates released starting October 11, 2022 include additional protections for CVE-2022-38042. These protections prevent the intentional reuse of an existing computer account in the target domain during domain join operations, except in the following cases:
- The user performing the action must be the user who first created the existing account.
- The computer must have been created by the domain administrators.
- The owner of the reused computer account, “Domain controller: Allow computer account re-use during domain joinIt must be a member of a Group Policy setting called “ . This setting requires Windows updates released as of March 14, 2023 to be installed on ALL member computers and domain controllers.
- Updates to be released starting March 14, 2023 for affected customers Windows Server It will provide additional options for all supported clients with versions 2012 R2 and later.
Not:
After installing October 11, 2022 or later Windows cumulative updates, domain join with computer account reuse may intentionally fail with the following error, and you may encounter the following error.
"Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. “Re-using the account was blocked by security policy.”
"Event ID 4101 will be triggered when the above error occurs and the issue will be logged in c:windowsdebugnetsetup.log will be logged.”
March 14, 2023
- Windows updates released on or after March 14, 2023, have made some security tightening changes. These changes include all the changes we made on October 11, 2022.
- First, we expanded the scope of groups exempt from this tightening. Domain Administrators, Enterprise Administrators, and Built-in Administrators groups are now also exempt from ownership checks.
- Second, a new Group Policy setting has been implemented. Administrators can use this to specify a list of permissions for trusted computer account owners. The computer account will bypass the security check if one of the following conditions is true:
- One user said, “Domain controller: Allow computer account re-use during domain join” is specified as a trusted owner in Group Policy.
- One user said, “Domain controller: Allow computer account re-use during domain join” is a member of a group that is specified as a trusted owner in Group Policy.
- To use this new Group Policy, the domain controller and member computer must have consistently installed the March 14, 2023 or later update. In some cases, you may have specific accounts that you use for automatic computer account creation. If these accounts are safe from abuse and you trust them to create computer accounts, you can exempt them.
Note: You'll still be safe from the original vulnerabilities that were mitigated by the Windows updates dated October 11, 2022.
Microsoft also plans to remove the NetJoinLegacyAccountReuse record in a future Windows update. This removal is currently tentatively scheduled for the September 9, 2023 update. Release dates are subject to change.
Steps to be Taken
As soon as possible before September 2023, configure the new allow list policy in Group Policy on the domain controller and remove the workaround by all old clients.

Then perform the following steps:
- You must install the March 14, 2023 updates on all member computers and domain controllers.
- In a new or existing group policy that applies to all domain controllers, configure the settings specified in the following steps.
- "Computer ConfigurationPoliciesWindows SettingsSecurity SettingsLocal PoliciesSecurity Option” options under “Domain controller: Allow computer account re-use during domain join” Double-click.
- "Define this policy setting and” select.
- Using the object chooser, add the users and groups you want to grant permissions to. (As a best practice, we strongly recommend using groups for permissions.) Do not add the user account that performs the domain join.
- Warning: Limit memberships to the policy to trusted users and service accounts. Do not add authenticated users, everyone, or other large groups to this policy. Instead, add specific trusted users and service accounts to groups and add those groups to the policy.
- Wait for the Group Policy refresh interval or run the gpupdate /force command on all domain controllers.
- Verify that the “ComputerAccountReuseAllowList” record in the HKLMSystemCCSControlSAM path is populated with the requested SDDL. Do not manually edit the record.
- Try to join a computer to the domain that has an update dated March 14, 2023 or later installed. Make sure that one of the accounts in the relevant policy is the computer account and that the registry key NetJoinLegacyAccountReuse is not enabled (not set to 1). If joining the domain fails, check the c:\windows\debugnetsetup.log\.
If you still need another workaround, check all the steps carefully and follow the steps below
- Perform the join operation using the same account that created the computer account in the target domain.
- If the existing account is not in use, delete it before joining the domain again.
- Rename the computer and join without using an existing account.
- If the existing account is owned by a trusted security principal and an administrator account wants to reuse the account, follow the instructions in the Taking Action section to install the March 2023 Windows update and configure a permission list.
- Important guidance on using the NetJoinLegacyAccountReuse record
Caution: If you choose to set this switch to bypass these protections, you will leave yourself vulnerable to CVE-2022-38042.
Because of the new Group Policy, you should no longer use the NetJoinLegacyAccountReuse record. If you are unable to configure the new GPO in your scenario,
You can use the following registration record.
Path | HKLMSystemCurrentControlSetControlLSA |
Type | REG_DWORD |
Name | NetJoinLegacyAccountReuse |
Value | 1 Other values are ignored. |
Microsoft will remove support for the NetJoinLegacyAccountReuse record in a future Windows update. This removal is currently tentatively scheduled for the September 9, 2023 update. Release dates are subject to change.
Things That Should Not Be Done!!
After installing March 14, 2023 or later updates on domain controllers and clients in the environment, do not use the NetJoinLegacyAccountReuse record. Instead, “Steps to be TakenFollow the steps in the ” section.
- Do not add service accounts or provisioning accounts to the Domain Admins group.
- Do not manually edit the security descriptor in order to redefine ownership of computer accounts. Editing the owner may allow new audits to pass, but the computer account may have the same potentially risky, unwanted permissions as the original owner unless explicitly reviewed and removed.
- Do not add the NetJoinLegacyAccountReuse record to the base operating system (OS) images, as this record should only be added temporarily and then removed directly after the domain join is complete.
New Event Ids and alerts
Event log | SYSTEM |
event source | Netjoin |
Event ID | 4100 |
Event Type | informational |
Event Text | “During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name.An attempt to re-use this account was permitted.Domain controller searched: Existing computer account DN: . See https://go.microsoft.com/fwlink/?linkid=2202145 for more information. |
Event log | SYSTEM |
event source | Netjoin |
Event ID | 4101 |
Event Type | Error |
Event Text | “During domain join, the domain controller contacted found an existing computer account in Active Directory with the same name. An attempt to re-use this account was prevented for security reasons. Domain controller searched: Existing computer account DN: The error code was . See https://go.microsoft.com/fwlink/?linkid=2202145 for more information.” |
Debug logging is available by default (no need to enable any verbose logging) in C:WindowsDebugnetsetup.log on all client computers.
Example of the debug logging generated when the reuse of the account is prevented for security reasons:NetpGetComputerObjectDn: Crack results: (Account already exists) DN = CN=Computer2,CN=Computers,DC=contoso,DC=com NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=Computer2,CN=Computers,DC=contoso,DC=com NetpCheckIfAccountShouldBeReused: Account was created through joinpriv and does not belong to this user. Blocking re-use of account. NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0 NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac NetpProvisionComputerAccount: LDAP creation failed: 0xaac ldap_unbind status: 0x0 NetpJoinCreatePackagePart: status:0xaac. NetpJoinDomainOnDs: Function exits with status of: 0xaac NetpJoinDomainOnDs: status of disconnecting from 'DC1.contoso.com': 0x0 NetpResetIDNEncoding: DnsDisableIdnEncoding(RESETALL) on 'contoso.com' returned 0x0 NetpJoinDomainOnDs: NetpResetIDNEncoding on 'contoso.com': 0x0 NetpDoDomainJoin: status: 0xaac
This update adds four (4) new events in the SYSTEM log on the domain controller as follows:
Event Level | informational |
Event ID | 16995 |
Log | SYSTEM |
event source | Directory-Services-SAM |
Event Text | The security account manager is using the specified security descriptor for validation of computer account re-use attempts during domain join.SDDL Value: This allow list is configured through group policy in Active Directory.For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145. |
Event Level | Error |
Event ID | 16996 |
Log | SYSTEM |
event source | Directory-Services-SAM |
Event Text | The security descriptor that contains the computer account re-use allow list being used to validate client requests domain join is malformed.SDDL Value: This allow list is configured through group policy in Active Directory.To correct this problem an administrator will need to update the policy to set this value to a valid security descriptor or disable it.For more information please see. http://go.microsoft.com/fwlink/?LinkId=2202145. |
Event Level | Error |
Event ID | 16997 |
Log | SYSTEM |
event source | Directory-Services-SAM |
Event Text | The security account manager found a computer account that appears to be orphaned and does not have an existing owner.Computer Account: S-1-5-xxxComputer Account Owner: S-1-5-xxxFor more information please see http://go.microsoft.com/fwlink/?LinkId=2202145. |
Event Level | Warning |
Event ID | 16998 |
Log | SYSTEM |
event source | Directory-Services-SAM |
Event Text | The security account manager rejected a client request to re-use a computer account during domain join.The computer account and the client identity did not meet the security validation checks.Client Account: S-1-5-xxxComputer Account: S-1- 5-xxxComputer Account Owner: S-1-5-xxxCheck the record data of this event for the NT Error code.For more information please see http://go.microsoft.com/fwlink/?LinkId=2202145 |
If needed, the netsetup.log can give more information. See the example below from a working machine.NetpReadAccountReuseModeFromAD: Searching '<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD,DC=contoso,DC=com>' for '(&(ObjectClass=ServiceConnectionPoint)(KeyWords=NetJoin*))'. NetpReadAccountReuseModeFromAD: Got 0 Entries. Returning NetStatus: 0, ADReuseMode: 0 IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2. IsLegacyAccountReuseSetInRegistry returning: 'FALSE''. NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: 0, NetStatus: 0 NetpDsValidateComputerAccountReuseAttempt: returning Result: TRUE NetpCheckIfAccountShouldBeReused: Active Directory Policy check returned NetStatus:0x0. NetpCheckIfAccountShouldBeReused: Account re-use attempt was permitted by Active Directory Policy. NetpCheckIfAccountShouldBeReused:fReuseAllowed: TRUE, NetStatus:0x0
If only the client has the March 14, 2023 or later update, the Active Directory policy check will return 0x32 STATUS_NOT_SUPPORTED. Previous checks that were implemented in the November hotfixes will apply as shown below.NetpGetADObjectOwnerAttributes: Looking up attributes for machine account: CN=LT-NIClientBA,CN=Computers,DC=contoso,DC=com NetpGetADObjectOwnerAttributes: Ms-Ds-CreatorSid is empty. NetpGetNCData: Reading NC data NetpReadAccountReuseModeFromAD: Searching '<WKGUID=AB1D30F3768811D1ADED00C04FD8D5CD,DC=LT2k16dom,DC=com>' for '(&(ObjectClass=ServiceConnectionPoint)(KeyWords=NetJoin*))'. NetpReadAccountReuseModeFromAD: Got 0 Entries. Returning NetStatus: 0, ADReuseMode: 0 IsLegacyAccountReuseSetInRegistry: RegQueryValueEx for 'NetJoinLegacyAccountReuse' returned Status: 0x2. IsLegacyAccountReuseSetInRegistry returning: 'FALSE''. NetpDsValidateComputerAccountReuseAttempt: returning NtStatus: c00000bb, NetStatus: 32 NetpDsValidateComputerAccountReuseAttempt: returning Result: FALSE NetpCheckIfAccountShouldBeReused: Active Directory Policy check returned NetStatus:0x32. NetpCheckIfAccountShouldBeReused:fReuseAllowed: FALSE, NetStatus:0x0 NetpModifyComputerObjectInDs: Account exists and re-use is blocked by policy. Error: 0xaac NetpProvisionComputerAccount: LDAP creation failed: 0xaac