Migrating Computer Accounts within a Migration Session fails with error: Apply of attribute userAccountControl with value(s) = 4098 failed (4269660)

When using a Migration Session to migrate computer accounts to Target, the migration session fails with the error:

Error 0xe1000041. Apply of attribute userAccountControl with value(s) = 4098 failed.

LDAP error 0x32. Insufficient Rights (00000005: SecErr: DSID-031A1256, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0).

The Service Account configured for the Target Domain is a member of the Built-In Administrators group and/or has Full Control over the OU where the Computer objects are being migrated to.

Microsoft released an Update (KB3072595), which modified how the userAccountControl property can be updated. 

Per MS:

This security update prevents non-administrators from changing the account type on existing user and computer accounts. After you install this security update, you cannot change flags in the UserAccountControl registry entry in order to change the account type. The most frequently affected operation occurs when applications interactively or programmatically create objects in Active Directory as user accounts and then convert them to computer accounts, or vice-versa, by changing the UserAccountControl value. One mitigation is to create user or computer objects that have the intended UserAccountControl value when the object is created. For example, objects that are intended to be computer accounts should have a UserAccountControl value that contains WORKSTATION_TRUST_ACCOUNT during object creation.

1. If the computer object(s) need to be migrated to the Target domain ahead of the actual move of the computer object, then add the Target Domain Service Account to the Target Domain Admins group and re-run the Migration session. 

2. Use Resource Updating Manager (RUM) to move (join) the account to the Target Domain.

3. Remove MS KB3072595 from impacted Target DC(s).