That sounds very unlikely to me, but just to be sure: Can a member of 'Domain Users' join a computer to the domain (granted that he has the local administrator account)?
The instructor said it, and it sounds very wrong. I tested it and I got 'Access denied' when I tryied to supply a regular users credentials. Am I missing something here?
Update: You get Access Denied if you already have a computer with that name in AD. If you delete the account, any user with local Administrator account could join the computer, auto creating an account in AD. UNBELIEVABLE.
Yes, they may join up to 10 computers by default.
You may either revoke this right, using Group Policy, or change the maximum number of allowed joins.
If this is a concern for you, it is quite possible to change the default location where new computer-objects are created. Set the GPO on that location to be very restrictive, such as disabling the local Administrator account, and by doing so users end up with a much more locked down workstation than they started with. Quite the disincentive.
The Microsoft view of this is that the user is opting into your security and domain policies by having the ability to join machines to the domain.
You can also monitor who has added machines to your domain and then break knuckles after the fact if they are misbehaving.
Depends what your internal policies are - we have a very small shop but Devs are prohibited (by word of God, not GPO) from adding machines to domain.