Absent Member.. Pamela Harrod Absent Member..
Absent Member..
136 views

(OO) Support Tip: Microsoft patch MS15-096 (Microsoft KB3072595) breaks Create Computer Account op

Microsoft patch MS15-096 (Microsoft KB3072595) breaks Create Computer Account operation (/Base [1.6.2]/Library/Operations/Active Directory/.NET/Computers/). 

This patch was installed to Active Directory.  Microsoft patch MS15-096 addresses a (perceived) security hole that Microsoft identified.  The fix does not allow a customer to create a generic object as part of the provisioning flow.  Once the object is created, customer comes back and turns that generic object into a machine account.  The symptom seen is ‘access denied’ after a disabled generic account record is created in the AD.

Customer's assumption is that in the OO operation a generic record is created then changing it to a Machine Account (originally Microsoft’s recommended way for this process).  Recently Microsoft considered this to be a security flaw and fixed it in MS15-096 and now only a domain administrator can change record types in the AD.  In an enterprise such as the customer's, a service account for cloud automation will never be granted domain admin privileges.  Microsoft now claims the best way to solve this problem is to create the Machine Account record directly and not attempt to change record types in the AD.

How to resolve this issue?

Please contact Technical Support for a hot fix.

Please see the knowledge document at https://softwaresupport.hp.com/km/KM01899553

Labels (2)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.