My company uses a depot offsite to manage our laptops and tablets. They are assigned the tasks of imaging our laptop and then preparing them to send to a designated user. One of the tasks that we need to them to handle is getting them on our domain via Cisco anyconnect VPN. So we've provided them a Service Account and this allows them access to our domain. Once on the domain, we need them to add that designated user as a local admin on that machine. When they attempt to add the user to the administrators group their Service Account credentials do not allow them to accomplish this. They have to call over to my team to have us connect to the machine and enter our admin credentials. The goal is to give them this access without getting so many involved. The users at the depot have external domain accounts but they do not use these to accomplish their tasks. Also, our DBA will not allow them to have domain admin credentials. So Delegate Control Wizard permissions setting would be the only thing that suffices.