Now I need to add some special permissions to computer objects, so I click Add again. Once again, I’ll select the DBA group, then I need to switch to Descendant Computer objects. I click Write and then scroll down until I see Validated write to service principal name. I’ll click the box to enable it, and then OK, OK, and OK.
The end result looks like below :
2 permissions for DBA group,
All descendants objects : Write all properties
Descendant computer objects : Validate write to Service Principal Name
Regis has the whole process documented well, so check it out.