Hi,
with the October 2022 update kb5020276 Microsoft has hardened the security for re-using a domains computerobject.
A re-jojn fails if the user has not the appropriate permissions. The error message: Re-using the account was blocked by security policy occurs.
Currently a workararound exists by setting the following registry key at the client:
D:\> Reg add HKLM\System\CurrentControlSet\Control\Lsa /v NetJoinLegacyAccountReuse /t REG_DWORD /d 1 /f
After joining the domain, remove the key to avoid any security impacts
D:\> Reg delete HKLM\System\CurrentControlSet\Control\Lsa /v NetJoinLegacyAccountReuse /f
Update 12.11.2022: I opened an support case at Microsoft because this change breaks several delegation concepts. As a result setting the registry key is a temporary workaround (offical) temporary workaround. but, Citation Microsoft: This can removed in the future (and can replaced by another method). The support engineer says there are other customers that have openend a similar request and Microsoft is currently evaluating the impact of the change.
So if you have to ability: Open a support case .(company account). The more cases the more importend for Microsoft to work an this issue.
to be continued…
Michael
I tried this on a fresh installed laptop.
The error message:
The following error occured attempting to join the domain “xxx.yy”:
An entry with the same name already exists in Active Directory. Re-using the account was blocked by security policy.
After adding the registry key, i could join our domain again.
Thank you very much.
It worked for me too! Thanks!
I ran into this for the first time today. The workaround to add the registry entry fixed the issue. Thank you for posting the fix!
This fixed it for us as well. Thank you for making this public! You saved a lot of time on a Saturday for 5+ people.
Pretty irresponsible to blog about this and not make clear that you should be REMOVING this registry key once domain join completed. Leaving this key enabled/security feature disabled is a risk with no practical benefit.
Remove-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\Control\Lsa\ -Name NetJoinLegacyAccountReuse
Hi Mike C,
added hint.
THX Michael
In the process of rebuilding an Exchange Server., and this error came up.
Was able to quickly fix!
Thank you for sharing!
Fantastic solution, could join domain. Thanks for posting.
that worked. thank you
This will work for me as well. Thanks, only need to run command prompt as a admin.
Reg add HKLM\System\CurrentControlSet\Control\Lsa /v NetJoinLegacyAccountReuse /t REG_DWORD /d 1 /f
Reg delete HKLM\System\CurrentControlSet\Control\Lsa /v NetJoinLegacyAccountReuse /f
Thank you !!!!!!!