Admins often need to automate things, like creating a dedicated account for joining machines to an Active Directory (AD) domain. Â This is useful for things like System Center Configuration Manger task sequences and System Center Virtual Machine Manager templates or similar needs.
First create a standard Windows user account. Â Next, right-click on the Computers Organization Unit (OU) within your AD domain. Â From the menu choose Delegate Control.
On the next screen (Users or Groups) choose Add and select the user account you just created.  Click Next.  Choose “Create a custom task to delegate†on the next screen.
Next, choose to only delegate control to computer objects and tick Create and Delete selected objects in this folder. Â Click Next.
On the next screen choose to show general permissions and from the list select:
- Reset password
- Read and write account restrictions
- Validated write to DNS host name
- Validated write to service principal name
Click Next and finish to complete the wizard.  Repeat this process for any other OUs where you’ll be joining computers to the domain.