Domain Join Errors and KB5020276

Recently I had to re-image and re-join some Server 2019 virtual machines to the domain and I came across this error while attempting to join the domain.

Error 0xaac (2732): NERR_AccountReuseBlockedByPolicy: “An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.”

These changes were introduced by Microsoft for additional protection against CVE-2022-38042 which is an Active Directory Elevation of Privilege Vulnerability.

While I could create new names since these VMs are just used for testing and let the team know the new name of the test servers, I thought it would be nice to keep the old ones.

In order to work around this, I made the following registry change to allow me to re-use the old name.

reg add "HKLM\System\CurrentControlSet\Control\LSA" /v NetJoinLegacyAccountReuse /t REG_DWORD /d 1 /f

After adding the key, I was able to re-join the machine to the domain. Remember to remove the key after you are done joining the domain.

Source for reference: https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8