It’s still a bad idea, but if that’s the design you want to run with, it can be done. (Personally, I would add a new child OU to hold just the subset of computers that require this delegation, and set the permissions there.)
Here are a couple of examples of using PowerShell to get at the security descriptors of AD objects:
http://blogs.technet.com/b/heyscriptingguy/archive/2012/03/12/use-powershell-to-explore-active-directory-security.aspx
http://blogs.msdn.com/b/muaddib/archive/2013/12/30/how-to-modify-security-inheritance-on-active-directory-objects.aspx
They’re not exactly what you asked for, but it’s a start. The code to modify the ACLs themselves is fairly generic, but you’ll be working with ActiveDirectorySecurity, ActiveDirectoryAccessRule and ActiveDirectoryRights types, instead of the FileSystem versions of those classes that you’d see in most example code.