{"id":8950,"date":"2022-10-12T22:35:24","date_gmt":"2022-10-12T20:35:24","guid":{"rendered":"https:\/\/michlstechblog.info\/blog\/?p=8950"},"modified":"2022-12-20T18:25:59","modified_gmt":"2022-12-20T17:25:59","slug":"windows-unable-to-join-domain-re-using-the-account-was-blocked-by-security-policy","status":"publish","type":"post","link":"https:\/\/michlstechblog.info\/blog\/windows-unable-to-join-domain-re-using-the-account-was-blocked-by-security-policy\/","title":{"rendered":"Windows: Unable to join domain: Re-using the account was blocked by security policy."},"content":{"rendered":"<div class=\"twoclick_social_bookmarks_post_8950 social_share_privacy clearfix 1.6.4 locale-en_US sprite-en_US\"><\/div><div class=\"twoclick-js\"><script type=\"text\/javascript\">\/* <![CDATA[ *\/\njQuery(document).ready(function($){if($('.twoclick_social_bookmarks_post_8950')){$('.twoclick_social_bookmarks_post_8950').socialSharePrivacy({\"services\":{\"flattr\":{\"uid\":\"Michl\",\"status\":\"on\",\"the_title\":\"Windows%3A%20Unable%20to%20join%20domain%3A%20Re-using%20the%20account%20was%20blocked%20by%20security%20policy.\",\"the_excerpt\":\"Hi%2C%0D%0A%0D%0Awith%20the%20October%202022%20update%20kb5020276%20Microsoft%20has%20hardened%20the%20security%20for%20re-using%20a%20domains%20computerobject.%0D%0A%0D%0AA%20re-jojn%20fails%20if%20the%20user%20has%20not%20the%20appropriate%20permissions.%20The%20error%20message%3A%20Re-using%20the%20account%20was%20blocked%20by%20security%20policy%20occurs.%0D%0A%20%28more%26hellip%3B%29\",\"txt_info\":\"2 clicks for more data protection:\\r\\n\\r\\nOnly when you click here, the button will be come active and you can send your recommendation to Flattr. When activating, data are transmitted to third parties. \",\"perma_option\":\"off\"}},\"txt_help\":\"When you activate these fields by clicking, information to Flattr may be transferred abroad, and probably may also stored there.\",\"settings_perma\":\"Enable permanently and accept data transmission. \",\"info_link\":\"http:\\\/\\\/www.heise.de\\\/ct\\\/artikel\\\/2-Klicks-fuer-mehr-Datenschutz-1333879.html\",\"uri\":\"https:\\\/\\\/michlstechblog.info\\\/blog\\\/windows-unable-to-join-domain-re-using-the-account-was-blocked-by-security-policy\\\/\",\"post_id\":8950,\"post_title_referrer_track\":\"Windows%3A+Unable+to+join+domain%3A+Re-using+the+account+was+blocked+by+security+policy.\",\"display_infobox\":\"on\"});}});\n\/* ]]> *\/<\/script><\/div><p>Hi,<\/p>\n<p>with the October 2022 update <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8\" rel=\"noopener\" target=\"_blank\">kb5020276<\/a> Microsoft has hardened the security for re-using a domains computerobject.<\/p>\n<p>A re-jojn fails if the user has not the appropriate permissions. The error message: <strong>Re-using the account was blocked by security policy<\/strong> occurs.<br \/>\n<!--more--><\/p>\n<p>Currently a workararound exists by setting the following registry key at the client:<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nD:\\&gt; Reg add HKLM\\System\\CurrentControlSet\\Control\\Lsa \/v NetJoinLegacyAccountReuse \/t REG_DWORD \/d 1 \/f\r\n<\/pre>\n<p>After joining the domain, remove the key to avoid any security impacts<\/p>\n<pre class=\"brush: bash; title: ; notranslate\" title=\"\">\r\nD:\\&gt; Reg delete HKLM\\System\\CurrentControlSet\\Control\\Lsa \/v NetJoinLegacyAccountReuse \/f\r\n<\/pre>\n<p>Update 12.11.2022: I opened an support case at Microsoft because this change breaks several delegation concepts. As a result setting the registry key is a temporary workaround <a href=\"https:\/\/support.microsoft.com\/en-us\/topic\/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8\" rel=\"noopener\" target=\"_blank\"> (offical) temporary workaround. <\/a> but, Citation Microsoft: This can removed in the future (and can replaced by another method). The support engineer says there are other customers that have openend a similar request and Microsoft is currently evaluating the impact of the change.<br \/>\nSo if you have to ability: Open a <a href=\"http:\/\/serviceshub.microsoft.com\" rel=\"noopener\" target=\"_blank\">support case <\/a>.(company account). The more cases the more importend for Microsoft to work an this issue.<\/p>\n<p>to be continued&#8230;<\/p>\n<p>Michael<\/p>\n<p><!-- https:\/\/borncity.com\/win\/2022\/10\/12\/windows-oktober-2022-patchday-fix-fr-domain-join-hardening-cve-2022-38042-verhindert-ggf-domain-join\/ --><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Hi, with the October 2022 update kb5020276 Microsoft has hardened the security for re-using a domains computerobject. A re-jojn fails if the user has not the appropriate permissions. The error message: Re-using the account was blocked by security policy occurs.<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[126,1898,1899,1897,20],"class_list":["post-8950","post","type-post","status-publish","format-standard","hentry","category-windowsknowhow","tag-domain","tag-jojn","tag-re-using-the-account-was-blocked-by-security-policy","tag-unable","tag-windows-2"],"amp_enabled":true,"_links":{"self":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8950","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/comments?post=8950"}],"version-history":[{"count":10,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8950\/revisions"}],"predecessor-version":[{"id":9160,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/posts\/8950\/revisions\/9160"}],"wp:attachment":[{"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/media?parent=8950"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/categories?post=8950"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/michlstechblog.info\/blog\/wp-json\/wp\/v2\/tags?post=8950"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}