After KB5009543 and KB5008876 AD Users and Computers console receives errors

Brass Contributor

After Windows Updates in January, 2022 - KB5009543 and KB5008876 (.NET Framework 4.8), the MMC Console accessing the Domain for "Active Directory Users and Computers" console from an Out-of-Domain Windows 10 Pro x86 or x64 Feature 21H2 PC receives errors when "Member Of" user properties or "Check Names" function are invoked when setting up a user.  The issue is RESOLVED if the command is invoked with Email address removed instead of MYDOMAIN\Administrator runas.exe command parameter.


 C:\Windows\System32\runas.exe /netonly /user:Email address removed "mmc Console1.msc /"


The above command runs correctly WITHOUT the "User name or password incorrect" temporary error and no LSA 40970 Event.


C:\Windows\System32\runas.exe /netonly /user:MYDOMAIN\Administrator "mmc Console1.msc /"


The above command receives the "User or password incorrect" message with a post to the Event Viewer of LSA 40970:

"The Security System has detected a downgrade attempt when contacting the 3-part SPN (Service Principal Name) 

"ldap/ address removed"

with error code " (0xc000005e)".  Authentication was denied.


When the Error Popup is dismissed, the Console function continues to run normally and the operation is completed.  The "Check Names" function, when adding a new security group Member, causes a login popup to the Domain Administrator, which if dismissed, allows the "Check Names" function to operate successfully.


My GUESS is that there is an issue with how the older "MYDOMAIN\Administrator" is used in the program versus the newer "Email address removed" format for specifying the authenticating user after the January, 2022 updates.


This is a minor issue and has been resolved by recoding the Desktop Shortcuts accessing these consoles.  I have also changed the Desktop Shortcuts for Domain Naming Service and DHCP Server console accesses.


I thought I'd bring this up in a discussion as it may relate to other issues in other consoles or programs invoked using the older MYDOMAIN\Administrator user specification in commands.










3 Replies
Please replace the "Email address removed" with the Administator "at-sign" in the above discussion.

Typo Monday! Administrator "at-sign" please!

The Event Viewer message part "ldap/ address removed"
actually reads:

ldap/ "at-sign" MYDOMAIN.NET