Specify a username that has permission to join computers to the Active Directory domain.
Use the “Delegate Control” workflow in Active Directory to assign the following user account permissions to the username or to a group to which the user belongs:
Write All Properties
Validate Write to DNS hostname
Read and write DNS host attributes
Delete Computer Objects
Create Computer Objects "
But Active Directory configuration is much more complicated than that. So, delegate to the user, but on what container? The container where the Pulse device computer objects are going to be created? The container where users are located (so that their passwords can be reset)? And which object types are those permissions referring to? "computer objects"? users? ...