Use the delegate Control wizard inside AD against the top level domain listing (not OU). You can then select “Join Domain” as a security option for your chosen user(s)/group(s).

Be sure to check for the group policy too, “Default Domain Policy” > Computer Configuration > Windows Settings > Security Settings > Local Policies > “Add Workstations to Domain”