Restricted user for domain join only
Question
Can I create a restricted user for domain join only
Answer
Generally yes, but changes to LDAP or ACL will effect this user almost always, so the user must be correct very often. Apart from that, the benefit of such a user is minimal. Joining is an administrative domain activity. This requires write permissions in LDAP. A user limited to joining can therefore easily give himself all the rights he wants to have.
Considering the effort and the benefit, the answer is that the effort is out of proportion to the benefit.