This is a quick post to go through an issue I ran in to when applying the Active Directory (AD) domain re-use policy. I have a post on setting up the domain re-use policy.
Even though the policy was configured and the user I was attempting to re-join the computer to AD I was still getting the domain error
Account exists and re-use is blocked by policy.
When looking through the netsetup logs under C:\Windows\debug, I was getting the following error.
Active Directory Policy check with SAM_DOMAIN_JOIN_POLICY_LEVEL_V2 returned NetStatus:0x5.
This issue was caused by having the following security option policy set Network access: Restrict clients allowed to make remote calls to SAM
This policy is recommend to improve security in AD, but by default it will only allow members of the administrators group in AD connect remotely to the Security Accounts Manager (SAM) database.
To fix the issue I added the same group used for domain joins to the policy to allow the domain re-join accounts to also be able to make remote calls to SAM.
Once the policy is updated on all DC’s the domain join should now work correctly.
TheSleepyAdmins 