<# 

If a join user has not the correct permissions a message like this will be shown
"
    The domain join user 'xxxxxxx' lacks the following permissions in the OU:

    Create Computer
    Delete Computer
    List Contents
    Read All Properties
    Write All Properties
    Read Permissions
    Reset Password
    Please grant these permissions to the domain account for the specified OU and try again. Make sure that the permissions apply to the correct OU and to all its child objects.
"
To give that join user the correct permissions, run this script.
#>

$DN = "DC=domain,DC=ext" #Domain DN or specific DN
$name = "DomainNetbios\joinUser"

Import-Module ActiveDirectory

$IdentityReference = $name
$sid = New-Object System.Security.Principal.NTAccount("$IdentityReference")
$acl = Get-Acl -Path "AD:\$DN"

$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule (
    $sid,
    'ReadProperty, GenericExecute',  # ActiveDirectoryRights
    'Allow', # AccessControlType
    '00000000-0000-0000-0000-000000000000',  # ObjectType
    'All',  # InheritanceType
    '00000000-0000-0000-0000-000000000000'  # InheritedObjectType
)))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule (
    $sid,
    'ReadProperty, WriteProperty, GenericExecute',  # ActiveDirectoryRights
    'Allow', # AccessControlType
    '00000000-0000-0000-0000-000000000000',  # ObjectType
    'Descendents',  # InheritanceType
    'bf967a86-0de6-11d0-a285-00aa003049e2'  # InheritedObjectType
)))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule (
    $sid,
    'CreateChild, DeleteChild',  # ActiveDirectoryRights
    'Allow', # AccessControlType
    'bf967a86-0de6-11d0-a285-00aa003049e2',  # ObjectType
    'All',  # InheritanceType
    '00000000-0000-0000-0000-000000000000'  # InheritedObjectType
)))
$acl.AddAccessRule((New-Object System.DirectoryServices.ActiveDirectoryAccessRule (
    $sid,
    'ExtendedRight',  # ActiveDirectoryRights
    'Allow', # AccessControlType
    '00299570-246d-11d0-a768-00aa006e0529',  # ObjectType
    'Descendents',  # InheritanceType
    'bf967a86-0de6-11d0-a285-00aa003049e2'  # InheritedObjectType
)))

$acl | Set-Acl