How to Delegate Rights to Modify SPNs in Active Directory

With Kerberos taking over as the preferred authentication protocol, system administrators need to be able to modify the SPN for their service accounts and computer objects in Active Directory. And you don't want to make all of your system administrators domain admins. To delegate this right, you can run the command below on your domain controller.