I've opened a support request up with One Identity already but wanted to see if anyone here has seen this yet. October client patches from MS have a domain join hardening update. In a nutshell if the account doing the join to an existing object in AD is not in domain admins or listed as the creator of the object, it prevents the join. Since Azure provisioned devices have the latest patches from MS, we found we can not longer join these after ARS is used to precreate the objects. All of our staff are required to use ARS and non have native rights so these are proving to be troublesome. Our client images dont have the patch yet so they aren't a concern just yet but the servers are an issue since we can't control the Azure images. Our ARS Service account is not in DA, it's just an administrator. We rather not make it a DA as it way more rights than it needs. We are also trying a few things to see if we can run a post create on the computers and change the owner. Just wondering if anyone else has run into this yet and has another workaround.
Below is the KB information article for the MS change. There is also someone who found a reg key that has been working but there is concern that MS may not support us if we continue to use that. I listed that below as well
KB5020276—Netjoin: Domain join hardening changes (microsoft.com)
