I recently ran into an issue where i needed to create a service account with bare minimum permissions to add a Windows and a Linux server to a domain. Windows was fairly easy to join it only requires the 5 permissions but the Linux server was throwing all kinds of errors. Linux servers require addition permissions to join to AD through realm join or adcli.
ADDING THE DELEGATION
1. Open the Active Directory Users and Computers.
2. Create a new OU called Linux.
3. Right-click on the Linux OU container and select Delegate control.
4. Click Next.
5. Click Add and select the service account “firstname.lastname@example.org” and click Next.
6. Select Create a custom task to delegate and click Next.
7. Select Only the following objects in the folder and check “Computer objects” from the list.
8. Place check-marks beside “Select the options Create selected objects in the folder” and “Delete selected objects in this folder”. Click Next.
9. Select General and Property-specific, select the following permissions from the list.
Standard permissions required to join systems to AD (Linux and Windows)
Additional permissions required by Linux machines to join AD (Linux)
REVOKING THE DELEGATION
1. Open the Active Directory Users and Computers console as domain administrator.
Right-click to the container or organizational unit (OU) you want to revoke the permissions and select Properties.
3. Navigate to the security tab.
4. Remove the service account the permissions.
5. Click OK.