This is a sample workflow on how to automatic create a CustomSpecFile. Note that the passwords in this is saved unencrypted (So do not use in a production environmnet unless you take other measures).

In my own environment I've solved this in this way:

• The VMware named attribute “domainadmin” does not need to be a domain admin. In our case this user ONLY have access to join the AD as a new serer.(Does not even have access to create a computer account).
• The local administrator password is changed as soon as the computer is joined to AD (Using LAPS)

The result of this is that both user/password combo's is useless as soon as the server is finished. (and ofcourse the CustomSpec file is deleted automatically after deployment)

// Note: con = VC:SDKConnection to the vCenter you want to create the CustomSpecFile
 
var CustomSpecFile = "__vRO-AutoGenerated_"+ComputerName;
try
{
	var cms = con.customizationSpecManager;
 
	var Cust = new VcCustomizationSpecItem(); // Main Object
 
 
	// Attach Objects to MAIN
	Cust.spec = new VcCustomizationSpec();
	Cust.info = new VcCustomizationSpecInfo();
 
	// Do INFO Object
 
	Cust.info.type = "Windows";
	Cust.info.name = CustomSpecFile;
	Cust.info.description = "Auto Generated from vRO";
 
 
	// Do SPEC object
 
	Cust.spec.options = new VcCustomizationWinOptions();
	Cust.spec.globalIPSettings = new VcCustomizationGlobalIPSettings(); // Should be Empty for vRA to use Network profile to fetch IP
	Cust.spec.identity = new VcCustomizationSysprep();
 
 
 
	// Set WinOptions Params
	Cust.spec.options.changeSID = true;
	Cust.spec.options.deleteAccounts = true;
	Cust.spec.options.reboot = VcCustomizationSysprepRebootOption.reboot;
 
	Cust.spec.identity.userData = new VcCustomizationUserData();
	Cust.spec.identity.userData.fullName = "Customer1";
	Cust.spec.identity.userData.orgName = "Organization1";
	Cust.spec.identity.userData.productId ="";  // Must be defined (Cannot be null)
 
	// License setup
 
	Cust.spec.identity.userData.computerName = new VcCustomizationVirtualMachineName();
	Cust.spec.identity.licenseFilePrintData = new VcCustomizationLicenseFilePrintData();
	Cust.spec.identity.licenseFilePrintData.autoMode = VcCustomizationLicenseDataMode.perServer;
	Cust.spec.identity.licenseFilePrintData.autoUsers = 5;
 
 
	Cust.spec.identity.identification = new VcCustomizationIdentification();
 
	// Domain Join
	Cust.spec.identity.identification.joinDomain = "customer1.ad.locale";
	Cust.spec.identity.identification.domainAdmin = "UserWithJoinAccess";
	Cust.spec.identity.identification.domainAdminPassword = new VcCustomizationPassword();
	Cust.spec.identity.identification.domainAdminPassword.plainText = true;
	Cust.spec.identity.identification.domainAdminPassword.value = "SecretPassword";
 
 
 
	// Setup Local Administrator Password
	Cust.spec.identity.guiUnattended = new VcCustomizationGuiUnattended();
	Cust.spec.identity.guiUnattended.password = new VcCustomizationPassword();
	Cust.spec.identity.guiUnattended.password.plainText = true;
	Cust.spec.identity.guiUnattended.password.value = "password1";
	Cust.spec.identity.guiUnattended.autoLogon = true;
	Cust.spec.identity.guiUnattended.autoLogonCount = 1;
	Cust.spec.identity.guiUnattended.timeZone = 110;
 
 
 
	// DO NETWORK
	var AdapterList = new Array();
	var Adapter1 = new VcCustomizationAdapterMapping();
	Adapter1.adapter = new VcCustomizationIPSettings();
	Adapter1.adapter.ip = new VcCustomizationDhcpIpGenerator();
	AdapterList.push (Adapter1);
 
 
	Cust.spec.nicSettingMap = AdapterList;
 
	// SAVE
 
	cms.createCustomizationSpec(Cust);
 
 
 
}
catch (exception)
{
	System.log ("Failed to create CustomSpecfile: "+CustomSpecFile+" Error: "+ exception);
	CustomSpecFile = null;
}