Microsoft Security Update KB5020276: Strengthening Domain Join Security in Active Directory

In October 2022, Microsoft introduced significant security enhancements to the domain join process through update KB5020276, aiming to mitigate vulnerabilities associated with computer account reuse in Active Directory environments. These changes, while bolstering security, have necessitated adjustments in administrative practices and workflows.

Background and Rationale​

Prior to this update, when a client computer joined a domain, it would query Active Directory for an existing account with the same name. If such an account existed, the client would attempt to reuse it, provided the user had the necessary write permissions. This behavior, though convenient, posed security risks, particularly if unauthorized users could exploit existing accounts to gain elevated privileges.
To address these concerns, Microsoft released KB5020276, introducing additional security checks during the domain join process. These checks are designed to prevent unauthorized reuse of computer accounts, thereby reducing the risk of privilege escalation attacks.

Key Changes Introduced​

The update implements the following security measures:

• Ownership Verification: Account reuse is permitted only if the user attempting the operation is the creator of the existing account or if the account was created by a member of the Domain Administrators group.
• Enhanced Group Exemptions: As of the March 14, 2023 update, the scope of groups exempt from these checks has been expanded to include Enterprise Administrators and Built-in Administrators.
• Group Policy Configuration: Administrators can now specify an allow list of trusted computer account owners through the Group Policy setting "Domain controller: Allow computer account re-use during domain join." This allows for more granular control over account reuse permissions.
• Registry Key Deprecation: The previously available registry key NetJoinLegacyAccountReuse, which allowed for bypassing these checks, is scheduled for removal in updates released on or after August 13, 2024. Administrators are advised to transition to the Group Policy method for managing account reuse permissions.

Implications for Administrators​

These changes have several implications:

• Operational Adjustments: Administrators must review and potentially modify existing workflows, especially those involving automated deployments or re-imaging processes that rely on reusing computer accounts.
• Policy Configuration: It's essential to configure the new Group Policy settings to define trusted account owners, ensuring that legitimate operations are not disrupted.
• Monitoring and Logging: New event logs (Event IDs 4100 and 4101) have been introduced to assist in monitoring and troubleshooting domain join operations. Administrators should familiarize themselves with these logs to effectively manage and diagnose issues.

Recommendations​

To adapt to these changes, administrators should:

• Update Systems: Ensure that all domain controllers and member computers are updated with the latest Windows cumulative updates to benefit from the enhanced security features.
• Configure Group Policies: Utilize the "Domain controller: Allow computer account re-use during domain join" Group Policy setting to specify trusted users and groups permitted to reuse computer accounts.
• Review and Modify Workflows: Assess existing domain join and computer provisioning processes to align with the new security requirements, making necessary adjustments to avoid operational disruptions.
• Educate IT Staff: Provide training and resources to IT personnel to ensure they understand the new behaviors and can effectively manage domain join operations under the updated security protocols.

By proactively implementing these measures, organizations can enhance their security posture while maintaining efficient and effective domain management practices.

---

Source: Microsoft Support KB5020276—Netjoin: Domain join hardening changes - Microsoft Support