(OO) Support Tip: Microsoft patch MS15-096 (Microsoft KB3072595) breaks Create Computer Account op
Microsoft patch MS15-096 (Microsoft KB3072595) breaks Create Computer Account operation (/Base [1.6.2]/Library/Operations/Active Directory/.NET/Computers/).
This patch was installed to Active Directory. Microsoft patch MS15-096 addresses a (perceived) security hole that Microsoft identified. The fix does not allow a customer to create a generic object as part of the provisioning flow. Once the object is created, customer comes back and turns that generic object into a machine account. The symptom seen is ‘access denied’ after a disabled generic account record is created in the AD.
Customer's assumption is that in the OO operation a generic record is created then changing it to a Machine Account (originally Microsoft’s recommended way for this process). Recently Microsoft considered this to be a security flaw and fixed it in MS15-096 and now only a domain administrator can change record types in the AD. In an enterprise such as the customer's, a service account for cloud automation will never be granted domain admin privileges. Microsoft now claims the best way to solve this problem is to create the Machine Account record directly and not attempt to change record types in the AD.
How to resolve this issue?
Please contact Technical Support for a hot fix.
Please see the knowledge document at https://softwaresupport.hp.com/km/KM01899553