First a bit of background. There are several threads on this forum related to securing passwords or sensitive data. The official IBM sanctioned approach is through their OS Deployment or Local User Management. Those approaches leverage ‘mailboxing’. This concept assumes that a machine exists and has generated a unique key pair. Passing ‘secret’ data to specific and unique machines on a one-to-one basis works well.
Where it doesn’t work is with groups of machines, dynamic targets, and future yet-to-be-created machines. See this thread for more detailed discussion. At my organization, we took the concept of Local User Management and OS Deployment a step further. With a bit of OpenSSL work, we’re able to leverage either one-to-one mailboxing or one-to-many. This is the basis for encrypting credentials such as those for domain join (among many others). More details here.
Then with encrypted domain join password available, it is trivial to create a dynamically generated Netdom script. Netdom does have an OU argument. Then simple ‘If/then/else’ logic is applied during the netdom script build, you can drop the machine into a specific OU based on whatever your organizational criteria are (subnet, naming convention, OS type, etc). The best part is being able to issue a policy action targeting a dynamic group based on specific criteria of machines yet to be created. Just be sure to secure delete your netdom script immediately following its use.