SAP is one of the largest software companies in the world. Inexplicably SAP thinks you need to give your web server admins Domain Admin rights to integrate with AD.
Like other vendors, they lead with, "needs to be a member of domain admins". Then they fall back to here is what you can do if you aren't domain admin. This is nice to have, but pretty embarrassing for SAP. All they want is a users and groups created.