There are 4 permissions required to join computer objects to Active Directory if the computer object already exists. If you are not pre-staging the computer object and it does not exist, you will need an additional permission as well pictured later in this KB. Below are the steps you can take to create a service account with the required permissions.

1. Create a service account in your OU, following the naming conventions detailed here: https://kb.wisc.edu/iam/30600#kb-toc-anchor23
2. Right click on the OU you want to join computers to and navigate to Properties>Security>Advanced (In this example I am delegating permission to the CAD Demo OU):
3. After clicking Advanced, a new window will open. Click on Add and another window will open. At the top of this window will be an option to select your service account that was previously created. After selecting your service account, change the "Applies to" drop-down to "Descendant Computer objects.
4. Next, scroll down to the bottom of the window and select the "Clear all" option.
5. After clearing all permissions, find and select the following four permissions:

After selecting the above options, click OK followed by Apply in the Advanced Security Settings window.

Your permissions should look like this. Some settings will appear blank but this is normal.

If you are joining a computer object that does not exist in CAD, you will need the above 4 permissions along with the "Create Computer objects" permission below, making sure to apply it to "This object and all descendant objects" for the OU you are delegating to:

Your account should now be able to join computers to Campus AD in the OU you have set permissions for.