KnowledgeBase: You receive EventID 16990 or 16991 when users create or modify computer objects

Reading Time: 2 minutes

Windows Server

One of the more recent issues you might encounter, when you create or modify computer objects and/or (group) managed service accounts in Active Directory is errors on your domain controllers with event ID 16990 or 16991 with source Directory-Services-SAM in the System event log.

The situation

You run an Active Directory forest with Domain Controllers that are up to date with the latest monthly cumulative updates.

People in your environment routinely create, modify and/or delete computer objects. The user accounts for these people have been configured with delegated permissions to create and/or modify computer accounts and/or (group) managed service accounts in Active Directory.

The issue

People experience errors in the Security event logs of domain controllers with EventID 16990 or EventID 16991 when they create or modify computer objects (group) managed service accounts instead of the usual informational events with EventID 4742 to indicate a computer object was created or with EventID 4743 to indicate a computer object was modified.

The computer object is not created and/or modified.

The cause

Events with EventID 16990 and 16991 are caused by the new validations on domain controllers to prevent attackers from impersonating domain controllers using a technique labelled ‘computer account sAMAccountName spoofing’. A successful attack may lead to elevation of privilege.

EventID 16991

You receive events with EventID 16991 with source Directory-Services-SAM in the System event log of domain controllers, when:

  • The Windows updates released on November 9, 2021 and later are installed on domain controllers.
  • The computer account was created or modified by users who do not have administrator rights for machine accounts. Effectively, the 10th bit of the userAccountControl attribute (UF_NORMAL_ACCOUNT) for the user account or 12th bit of the userAccountControl attribute (UF_INTERDOMAIN_TRUST_ACCOUNT) for the user account is set.
  • The computer account or (group) managed service account has either the 13th bit of the userAccountControl attribute (UF_WORKSTATION_TRUST_ACCOUNT) or the 14th bit of the userAccountControl attribute (UF_SERVER_TRUST_ACCOUNT) set.
  • the sAMAccountName attribute of the computer account does not end with a single dollar sign ($).

The event’s description for errors with EventID 16991 reads:

The security account manager blocked a non-administrator from creating or renaming a computer account using an invalid sAMAccountName. sAMAccountName on computer accounts must end with a single trailing $ sign.

In this case, the following failure code is logged:

0x523 ERROR_INVALID_ACCOUNTNAME

EventID 16990

When the fourth conditions from the previous list is not met, the domain controller logs an event with EventID 16990 with source Directory-Services-SAM in the System event log.

The event’s description for errors with EventID 16990 reads:

The security account manager blocked a non-administrator from creating an Active Directory account in this domain with mismatched objectClass and userAccountControl account type flags.

In this case, the following failure code is logged:

ACCESS_DENIED

The solution

For existing objects, the validation occurs when users who do not have administrator rights modify the sAMAccountName or UserAccountControl attributes.

Make these modifications using accounts that are members of the Domain Admins group.

Further reading

KB5008102—AD Security Accounts Manager hardening changes (CVE-2021-42278) 
CVE-2021-42278 – Security Update Guide  
UserAccountControl property flags

Posted on November 10, 2021 by Sander Berkouwer in Active Directory, KnowledgeBase Articles

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.