Administrators can use it specify an allow list of trusted computer account owners. The computer account will bypass the security check if one of the following is true: Second, we implemented a new Group Policy setting. In addition to Domain Administrators, Enterprise Administrators and Built-in Administrators groups are now exempt from the ownership check. These changes include all the changes we made in October 11, 2022.įirst, we expanded the scope of groups that are exempt from this hardening. In the Windows updates released on or after March 14, 2023, we made a few changes to the security hardening. Please follow the steps below in Take Action to understand the failure and resolve the issue. If so, the account is intentionally being protected by the new behavior.Įvent ID 4101 will be triggered once the error above occurs and the issue will be logged in c:\windows\debug\netsetup.log. Re-using the account was blocked by security policy.” Note After installing the October 11, 2022, or later Windows cumulative updates, domain join with computer account reuse might intentionally fail with the following error:Įrror 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. This change does not affect new accounts. If the checks are successful, the rest of the join operation is subject to Active Directory permissions as before. These additional security checks are done before attempting to join the computer. Algorithm:Īccount reuse attempt will be permitted if the user attempting the operation is the creator of the existing account.Īccount reuse attempt will be permitted if the account was created by a member of domain administrators. Once you install the October 11, 2022, or later Windows cumulative updates on a client computer, during domain join, the client will perform additional security checks before attempting to reuse an existing computer account. There are two scenarios for domain join with respective default behaviors and flags as follows:ĭefaults to account reuse (unless NETSETUP_NO_ACCT_REUSE flag is specified)Īccount provisioning ( NetProvisionComputerAccountNetCreateProvisioningPackage).ĭefaults to NO reuse (unless NETSETUP_PROVISION_REUSE_ACCOUNT is specified.) However, if the user has enough permissions the domain join will succeed. Note The reuse attempt will fail if the user who attempts the domain join operation does not have the appropriate write permissions. If such an account exists, the client will automatically attempt to reuse it. This query occurs during domain join and computer account provisioning. Behavior before October 11, 2022īefore you install the October 11, 2022, or later cumulative updates, the client computer queries Active Directory for an existing account with the same name. Updates released on and after March 14, 2023, will provide additional options for affected customers on Windows Server 2012 R2 and above and all supported clients. For more information, see the Octobehavior and Take Action sections. This setting requires the installation of Windows updates released on or after March 14, 2023, on ALL member computers and domain controllers. The owner of the computer account that is being reused is a member of the "Domain controller: Allow computer account re-use during domain join." Group Policy setting. The computer was created by a member of domain administrators. The user attempting the operation is the creator of the existing account. These protections intentionally prevent domain join operations from reusing an existing computer account in the target domain unless: Windows updates released on and after October 11, 2022, contain additional protections introduced by CVE-2022-38042. Tip: To view the new or revised Macontent, see the various and tags throughout the article. Windows Server 2008 Datacenter ESU Windows Server 2008 Standard ESU Windows Server 2008 Enterprise ESU Windows 7 Enterprise ESU Windows 7 Professional ESU Windows 7 Ultimate ESU Windows Server 2008 R2 Enterprise ESU Windows Server 2008 R2 Standard ESU Windows Server 2008 R2 Datacenter ESU Windows Embedded Standard 7 ESU Windows Embedded POSReady 7 ESU Windows Server 2012 Windows Embedded 8 Standard Windows 8.1 Windows RT 8.1 Windows Server 2012 R2 Windows Embedded 8.1 Industry Enterprise Windows Embedded 8.1 Industry Pro Windows 10 Windows 10, version 1607, all editions Windows Server 2016, all editions Win 10 Ent LTSC v2019 Win 10 IoT Ent LTSC v2019 Windows 10 IoT Core 2019 LTSC Windows Server 2019 Windows 10 Enterprise Multi-Session, version 20H2 Windows 10 Enterprise and Education, version 20H2 Windows 10 IoT Enterprise, version 20H2 Windows 10 on Surface Hub Windows 10, version 21H1, all editions Windows 10, version 21H2, all editions Windows 11 version 21H2, all editions Windows 11 version 22H2, all editions Windows Server 2022 More.
0 Comments
Leave a Reply. |