Configuration Management / Users allowed to join computers to the domain
By default, any user, privileged or not, can join one computer or more to the domain. By doing this, the creation of a new computer account in the Active Directory is triggered.
If the corresponding computer would become sensitive, e.g. by holding critical information from the company for example, it becomes a key security element that should be protected. Moreover, the user who added the computer to the domain potentially still holds privileges on it, which is a way to keep backdoors. Hence, it is recommended to check that this possibility provided by the Active Directory is disabled and to verify the existing computers added by this feature.
It is recommended to verify that users cannot add computers to the Active Directory's domain and that this process can only be done by the appropriate administrators.