戻る
-
タイトル
An account with the same name exists in Active Directory. Re-using the account was blocked by security policy. -
説明
When attempting to perform a domain join where you have pre-created the computer accounts in the target domain, or when a computer tries to rejoin the source domain during a rollback event, the following error is encountered:
An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.
-
原因
Microsoft released KB5020276 in October 2022, which modifies the domain join process and performs additional security checks before attempting to reuse existing computer accounts.
Per the Microsoft KB article, computer account reuse is only permitted in the following scenarios:- The user attempting the operation is the creator of the existing account.
- The computer account was created by a member of domain administrators.
- The owner of the computer account that is being reused is a member of the "Domain controller: Allow computer account re-use during domain join." Group Policy setting.
-
対策
Follow Microsoft’s guidance in the Take Action section of the KB to configure the new group policy that grants permissions for specific accounts to re-use pre-existing computer accounts during domain join.- Install the March 14, 2023, updates on all member computers and domain controllers
- Configure the new group policy setting
- Open the following policy for editing: Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options\Domain controller: Allow computer account re-use during domain join
- Select Define this policy setting and <Edit Security…>
- Add users or groups to the Allow permission
- Add the accounts that pre-created the computer accounts in Active Directory
- If you previously enabled the NetJoinLegacyAccountReuse registry key, disable it on the member computer by deleting the key or setting the value to 0
- HKLM\System\CurrentControlSet\Control\LSA\NetJoinLegacyAccountReuse