## On the domain controller.
# When using pre-staging, it may be necessary to also delegate the creation of the object in the domain and not just the join to the domain.
# Following a change to the domain junction reinforcement, you must be a domain administrator or the owner of the computer object to join the computer to the domain
# https://support.microsoft.com/en-us/topic/kb5020276-netjoin-domain-join-hardening-changes-2b65a0f3-1f4c-42ef-ac0f-1caaf421baf8

# Name of the OU Computers
$OUOrdinateursName = 'Ordinateurs'
# Distinguished name of the domain
$DomaineDN = (Get-ADDomain).distinguishedname

# Allow a group to join a computer to the domain on an OU. With inherited rights :
$OrdinateursOU = "ou=$OUOrdinateursName,$DomaineDN"
dsacls $OrdinateursOU /I:S /G $GPName":WS;Validated write to DNS host name;computer"
dsacls $OrdinateursOU /I:S /G $GPName":WS;Validated write to service principal name;computer"
dsacls $OrdinateursOU /I:S /G $GPName":CA;Reset Password;computer"
dsacls $OrdinateursOU /I:S /G $GPName":WP;Account Restrictions;computer"

# Add creation rights for the computer in the OU
dsacls $OrdinateursOU /I:T /G $GPName":CC;computer"

## On the workstation to join the domain
# You can define the destination OU and rename the workstation.
$PCName = 'pc-PoSH
$domaine = 'domaine.tld'
$ou = 'Ordinateurs'
$oupath = 'ou={2},dc={0},dc={1}' -f ($domaine.split('.') + $ou)

$param = @{
    DomainName = $domaine
    NewName = $NomPC
    Credential = get-credential
    OUPath = $oupath
    Restart = $true
}
Add-Computer @param