Few months I discovered that normal AD users are able to join computers to domain (up to 10) without particular grants or settings.
It was a very unexpected news for me.
Default limit to number of workstations a user can join to the domain
"By default, Windows 2000 allows authenticated users to join ten machine accounts to the domain.
This default was implemented to prevent misuse, but can be overridden by an administrator by making a change to an object in Active Directory.
Note that users in the Administrators or Domain Administrators groups, and those users who have delegated permissions on containers in Active Directory to create and delete computer accounts, are not restricted by this limitation."
Here it is AD attribute that define 10 maximum join numbers (you need to to use ADSIEdit.msc):
MS-DS-Machine-Account-Quota
It is highly recommended to disable this features due to obviously security reasons:
https://docs.microsoft.com/en-us/archive/blogs/dubaisec/who-can-add-workstation-to-the-domain
REMEDIATION:
Due to security reasons is preferable that Authenticated Users cannot join domain computers.
You must modify "Default Domain Policy" permitting domain joins to specifics user or group.
Rafal Sosnowski (Microsoft Dubai Security PFE Team's member) says:
During my numerous Security Audits and Assessments I deliver to customers, I usually discover too wide permissions and user rights configured in Active Directory. One of them is “Add Workstation to the Domain”
It is important to control who can add new machines to our AD environment. Although we can enforce various security settings via GPO on newly added machines, user could join machine which is not configured according to our security standards and at the same time having ownership of various objects in the system (local admin account, ACLs on file system etc.).
<==================>
Here it is full article:
[update 2022.11.02]
KB5020276—Netjoin: Domain join hardening changes