OV 2500 - AD Connect User Rights

Hello, If you bind the OV 2500 UPAM to an AD via LDAP, an AD user is expected who is also allowed to create computer accounts.

What rights exactly does this user need? So far I have helped myself by temporarily moving the user to the Domain Admins group when connecting. But this cannot be a permanent solution.

The AD account of the OV 2500 is created with DES Kerberos support, can I deactivate this DES support for the computer account AD without affecting the OV 2500?

Best regards