I've taken to delegating native AD rights to a group or two - that allows write to servicePrincipalName - external to ARS.
ARS provides the delegation to create SPN's in the web interface - and that works great.
unexpected additional need ... for those that create service accounts that needs an SPN set - SOME of those also need a keytab created using the service account name and password that was just generated via ARS.
nothing seems builtin to also throw out a keytab,
But onCreate ... could a workflow or policy script be used to generate a keytab that mimics ktpass.exe so we can stay out of the native delegations arena ?