With Kerberos taking over as the preferred authentication protocol, system administrators need to be able to modify the SPN for their service accounts and computer objects in Active Directory. And you don't want to make all of your system administrators domain admins. To delegate this right, you can run the command below on your domain controller.
Before you run it, you need to change "OU=users,DC=domain,DC=suffix" to the distinguished name of the OU or object that you want to delegate the rights for. Then change "DOMAIN\GroupName" to your domain and the group or user that you want to grant the rights to.
dsacls "OU=users,DC=domain,DC=suffix" /I:S /G "DOMAIN\GroupName:RPWP;servicePrincipalName"
You can also limit this right to a specific class of object (e.g. user, computer, etc) by adding ";<InheritedObjectType>" immediately after "servicePrincipalName" in the command. Make sure to replace <InheritedObjectType> with the name of the class you want the right limited to, like this.
dsacls "OU=users,DC=domain,DC=suffix" /I:S /G "DOMAIN\GroupName:RPWP;servicePrincipalName;user"
