When an Active Roles Property Generation and Validation (PGV) policy is present and enforcing a value on a computer's userAccountControl attribute, Active Roles will create the computer object without issue, but the object is created with a value which does not match what should be enforced by policy.
The Active Roles Administration Service will always add bitwise mask 32 (PASSWD_NOTREQD) to the value specified by policy.
This issue affects all Active Roles clients.
Use a Change Workflow Update Activity or a Policy Script with the onPostCreate event handler to correct the value of userAccountControl after the computer account has been created.
Waiting for a fix in a future release of Active Roles.