AD Security: Domain Join hardening


Userlevel 7
Badge +5

When attempting to add a pre-created (provisioned) PC to a domain or reuse an existing computer account, the following error below is encountered.

An account with the same name exists in Active Directory. Re-using the account was blocked by the security policy.

Microsoft released this update on October 11, 2022, thereby introducing additional protections (hardening) for your environment. This hardening mitigates the following “CVE-2022-38042 (Active Directory Domain Services Elevation of Privilege Vulnerability)”.

Legacy behaviour

Before the installation of the October 11, 2022 update, or later cumulative updates, the client computer queries Active Directory for an existing account with the same name. This query occurs during domain join and computer account provisioning. If such an account exists, the client will automatically attempt to reuse it.

Note: During this time, the re-use computer account will only fail if the user does not have the appropriate permission to join the device to the domain. There were other two scenarios with respect to the default behaviours and flags, thereby disallowing the account or provision reuse account when configured only.

Reason for this behaviour

Microsoft released KB5020276 last month (October 2022), which modifies the domain join process and performs additional security checks before attempting to reuse existing computer accounts. These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain with these exemptions.

  • Account reuse attempts will be permitted if the user attempting the operation is the creator of the existing account.
  • Account reuse attempts will be permitted if the account was created by a member of domain administrators.

Therefore, computer account reuse is only permitted in the following scenarios above.

New behavior

Once you install October 11, 2022, or subsequent cumulative updates on a client computer, during domain join, the client will perform additional security checks before attempting to reuse an existing computer account. If an account has already been pre-positioned (created) or joined to the domain previously, and you do not fall into the two criteria of account reuse. The following error below will be prompted.

These additional security checks are done before attempting to join the computer. If the checks are successful, the rest of the join operation is subject to Active Directory permissions as before. This change does not affect new accounts.

 

Action Taken

Step 1: Since I am very okay with this hardening and will not be finding a way around it. I will simply proceed to Active Directory and have the computer account deleted. Then, I will proceed to have the device join the domain again. Thee steps are too basic and I will not be describing them here. You can take a look at the link for more information.

Step 2: Now that the device (computer account) has been deleted from AD, I will proceed and have the device joined to the domain again. Like I said, if you do not have the right permissions, the domain join process will fail. This behaviour has not changed!!!

For those of you that install Windows via WDS etc, I will advise to have the computer account deleted, else, the domain join process will fail. At the time of writing this piece, this is the recommended approach.

Other Workarounds

Review computer account provisioning workflows and understand if changes are required.

  • Perform the join operation using the same account that created the computer account in the target domain.
  • If the existing account is stale (unused), delete it before attempting to join the domain again. This is exactly the action I took!
  • Rename the computer and join using a different account that doesn’t already exist. This is a possibility, but what if you really cannot use a different name? Then the next solution should work for you.
  • If the existing account is owned by a trusted security principal and an administrator wants to reuse the account, they might do so by temporarily setting the following registry key at the individual client computer level. Then immediately remove the registry setting after the join operation is complete. No restart is necessary for changes to the registry key to take effect. Kindly head over to the original-posts to see how the registry key was created and deleted after the domain join was successful.
Path HKLM\System\CurrentControlSet\Control\LSA
Type REG_DWORD
Name NetJoinLegacyAccountReuse
Value

1 “Other values are ignored”.

Note: If you choose to set this key to work around these protections, you will leave your environment vulnerable to CVE-2022-38042 unless your scenario is referenced below as appropriate. Do not use this method without confirmation that the Creator/Owner of the existing computer object is a secure and trusted security principal.


4 comments

Userlevel 7
Badge +8

Really great article on security.  Thanks for sharing.

Userlevel 7
Badge +5

Really great article on security.  Thanks for sharing.

You are welcome

Userlevel 7
Badge +3

Great article @Iams3le 

Glad that Microsoft have started hardening bits like these

Userlevel 7
Badge +2

Thank you for posting this...makes it easier considering I’m sure I’ll run into it and have to do research to see why I’m running into a “new” error, so this will help save that time!

Comment