If a computer has the KB5020276 Netjoin: Domain join hardening changes Windows update installed, you might encounter the following error message when attempting to join such a computer to a domain via Adaxes.
An account with the same name exists in Active Directory. Re-using the account was blocked by security policy.
The KB5020276 security patch imposes additional restrictions on who can join computers to a domain. As a result, if a computer account is created via Adaxes, the user specified in the Can be joined to domain by property of that account will not be able to join the computer to a domain unless one of the following scenarios is also true:
The service account for the managed domain is a member of Domain Admins group.
The computer in question has the following registry key set.
- Path: HKLM\System\CurrentControlSet\Control\LSA
- Type: REG_DWORD
- Name: NetJoinLegacyAccountReuse
- Value: 1
The user who joins the computer to a domain is explicitly specified as the primary computer owner (specified in the ManagedBy (Primary) property).