As an Active Directory administrator, you must have come across surprisingly new computers are joined in your domain. This is a newer feature in Microsoft Windows Servers that any authenticated user can join a workstation to the domain.
This feature is useful in an environment where strict BYOD policies are set. But for me, it is a threat and may lead to uncontrolled computer hierarchy.
There are few ways to avoid this, but below group policy method is much easier.
Open Group Policy Management Console (GPMC) and navigate to Domain Controllers OU under your domain.
Right click ‘Default Domain Controller Policy’ and Edit. Then navigate to Computer Configurations\Policies\Windows Settings\Security Settings\Local Policies\User Right Assignment.
Right click ‘Add workstations to domain’ and Properties. Remove ‘Authenticated users’ and add whoever needs access to join workstations to domain. I prefer to keep only Domain Admins.
Thats it! You can run a gpupdate in all your DCs to take the new policy immediately.