Missing account permissions to create the active directory computer object in the AMT_OU container in AD
- Provision AMT - Active Directory creates object function CreateDSObject failed with error -2147016657
- SCCM shows computername$ime objects the ones we see in SCCM for a period and then it switches back to the computer name periodically.
- The error is related to the account that is being used, does not have the appropriate permissions in Active Directory to create the active directory computer object in the AMT_OU container in AD.
- In the device collections of SCCM, it is pulling in the computer object in its native OU and the AMT_OU object. The problem within SCCM that is causing this is under administration, there are discovery methods. One of the methods allows you to do system discovery from active directory. SCCM does a top level scan in active directory and searches everything (depending on how it is set up). What’s happening is the account that is doing the search in Active Directory, the solution would be whatever account is running the scan, deny that account access to read objects in the AMT_OU.
This could potentially affect something else with this account, so the recommendation would be:
If you need further assistance please give us the answer of the questions below:
- What account is doing the query in SCCM for Active Directory?
- Is this account being used for anything else?
- When doing a scan, what discovery method are you using and possibly a screenshot of the OU structure?