search for: kb5020276

Hi everybody, since a couple of years, user X can't join a computer to AD if the computer object has been created by user Y. It is KB5020276?Netjoin: Domain join hardening changes [1]. The documentation suggests a workaround, basically a group policy applied to all the domain controllers. Is it that possibile to apply group policies to a samba DC? The group policy I'm talking about requires a 2012R2 schema, but before raising t...

>> Hi everybody, >> >> since a couple of years, user X can't join a computer to AD if the >> computer object has been created by user Y. > > Why pre-create the computer object before the join ? hi Rowland, in order to place it in the correct ou (unless I am mistaken. Is it possible to specify the target ou during the join? In my memory it was not.) > The

> I?ve spent a lot of time working on this. There?s no workaround that actually works. > > The machine account must me deleted and recreated by the new user. I use a generic user to own these new account so I keep it even if the employee adding machines leaves. > > LP thank you a lot: you're saving me a lot of time! Francesco

...PO are correctly in the right object on rebuild. Then this one specifically is a pain: mS-DS-CreatorSID: this data field is added to a machine record joined to an AD in certain situations. MS issued a client side patch in the name of ?security? that checks for this data: "KB5020276" The machine re-join goes pear shaped if it is found and if you have NOT applied an unapproved local machine registry mod? Which then means you have to delete the old record out of the LDAP OR change the name of the machine for the re-join, which is a real pain? If there was an opt...

...n be implemented with Samba? This is configured on the DC, but is evaluated by the client. Accordingly, my assumption would be that some flag must be set, which can perhaps also be set via ldbedit. Does anyone know more about this? Best regards, Stefan https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8