You can pre-configure the option called "The following group or user can join this computer to a domain and this is by default Domain Admins group" available when you create a computer account.
To do so, add to the DELEGWIZ.INF file (%WINDIR%\INF) a NEW template (see below) you can use to delegate the task of JOINING COMPUTERS TO THE DOMAIN (not the creation of computer accounts). REPLACE THE X with an UNUSED NUMBER!
;----------------------------------------------------------
[templateX]
AppliesToClasses = domainDNS,organizationalUnit,container
Description = "Join a computer to the domain in an OU (computer account pre-created)"
ObjectTypes = computer
[templateX.computer]
;Right to join computers to domain
CONTROLRIGHT= "Reset Password","Validated write to DNS host name","Validated write to service principal name", "Account Restrictions"
;----------------------------------------------------------
Don't forguet to add your templateX id in the liste of the [DelegationTemplates] section.
Now you can start 'Active Directory Users and Computers', right-clic any OU, select ,Delegate Control...', chose a group and select the new 'Join a computer to the domain in an OU (computer account pre-created)' template.
Source : www.activedir.org
