In the process of separating administrator rolls within a domain, and I cannot find a definitive source for the required permissions that need to be granted for adding workstations to the domain. I found the following within the forums, but I cannot find a Technet article that specifically supports that these are the correction permissions. We want to delegate specifically what is needed with no additional rights:
SET OU=OU=SomeOU,DC=Contoso,DC=com
SET SP=contoso\AddToDomain
:: Grant permissions to Add and Delete computer objects
dsacls %OU% /I:T /G %SP%:CC;computer;
dsacls %OU% /I:T /G %SP%:DC;computer;
:: Grant permissions to join computers to the domain
dsacls %OU% /I:S /G %SP%:CALCGRSDDTRC;;computer
dsacls %OU% /I:S /G %SP%:WP;description;computer
dsacls %OU% /I:S /G %SP%:WP;sAMAccountName;computer
dsacls %OU% /I:S /G %SP%:WP;displayName;computer
dsacls %OU% /I:S /G %SP%:WP;userAccountControl;computer
dsacls %OU% /I:S /G %SP%:WS;"Validated write to service principal name";computer
dsacls %OU% /I:S /G %SP%:WS;"Validated write to DNS host name";computer
Is there a source that specifically documents the requirements for this? Not asking about rights (I know what to do there), just need to know that the delegation is accurate.