Forum Discussion
Re-using computer account with Add-Computer
I am having an issue getting computers to rejoin the domain after they are reimaged. It has been working up until Windows 11 22H2. I found that KB5020276 changed re-using computer names, I have done all the required changes and the script still will not work but I am able to add the computer back to the domain if I use the GUI. Use the same network account in both. The account is a member of the Domain Admins.
$domain= '<domain>'
$password= "<password>" | ConvertTo-SecureString -asPlainText -Force
#enter user account that will be used to join domain
$user= '$domain\<user>'
$cred= New-Object System.Management.Automation.PSCredential($user,$password)
#edit for OU path
$oupath = '<path>'
#add computer to OU
Add-Computer -domainname $domain -oupath $oupath -Credential $cred -ErrorAction silentlycontinue
#add computer to domain
Add-Computer -DomainName $domain -Credential $cred
Script output
Microsoft Windows [Version 10.0.22621.1635]
(c) Microsoft Corporation. All rights reserved.
C:\Users\Administrator>powershell -nologo -executionpolicy bypass -noprofile -file C:\test\CUR_Join.ps1
Add-Computer : Computer 'TEST' failed to join domain '<domain>' from its current workgroup 'WORKGROUP'
with following error message: The group name could not be found.
At C:\test\CUR_Join.ps1:17 char:1
+ Add-Computer -domainname $domain -oupath $oupath -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (TEST:String) [Add-Computer], InvalidOperationException
+ FullyQualifiedErrorId : FailToJoinDomainFromWorkgroup,Microsoft.PowerShell.Commands.AddComputerCommand
Add-Computer : Computer 'TEST' failed to join domain '<domain>' from its current workgroup 'WORKGROUP'
with following error message: An account with the same name exists in Active Directory. Re-using the account
was blocked by security policy.
At C:\test\CUR_Join.ps1:21 char:1
+ Add-Computer -DomainName $domain -Credential $cred
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (TEST:String) [Add-Computer], InvalidOperationException
+ FullyQualifiedErrorId : FailToJoinDomainFromWorkgroup,Microsoft.PowerShell.Commands.AddComputerCommand
NetSetup.log using script
05/09/2023 09:18:50:880 IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.
05/09/2023 09:18:50:880 NetpManageMachineAccountWithSid: The computer account already exists in Active Directory.Re-using the account was blocked by security policy.
NetSetup.log using GUI
05/09/2023 09:22:15:333 IsLegacyAccountReuseSetInRegistry returning: 'FALSE''.
05/09/2023 09:22:15:333 NetpCheckIfAccountShouldBeReused: Matching Owner and current user SIDs. Allowing re-use of account.
8 Replies
SteveBurro I realise this is an old post, but this could be permission related for anyone else seeing a similar issue. I have actually seen this message appear even with all the right GPOs set and it was related to two values not being set on a prestaged object......
The computer account was missing dNSHostName and certain ServicePrincipalName values and the join account did not have the necessary rights to set those. I don't recommend adding rights to set those values... If they are prestaged, best to just set the values to what they should be (avoiding giving the rejoin account unnecessarily dangerous validate rights).
Here's an article that talks about this scenario in detail:
https://jigsolving.com/domain-rejoin-minimum-permissions/- did you try to reset the computer objects from the users and computers? and try to rejoin them again to the domain
- If I delete the computer object it will create the computer and join to the domain no problem. But I have computers assigned to groups and if I delete the computers they lose their memberships.
- not delete them , just right click on the computer object and click on reset account , it will allow you to join the machine with the same name to the AD
