Create a computer account and use it for Kerberos RBCD attacks when leveraging owned accounts with sufficient permissions (i.e. ACEs like GenericAll, GenericWrite or WriteProperty) against a target machine
Create a computer account and use it for a Kerberos Unconstrained Delegation attack when leveraging owned accounts with sufficient permissions (i.e. the SeEnableDelegationPrivilege user right)
Profit from special rights that members of the Domain Computers group could inherit
Profit from special rights that could automatically be applied to new domain computers based on their account name
In order to run the following commands and tools as other users, testers can check the user impersonation part.
The following command, using the PowerShell ActiveDirectory module's cmdlets Get-ADDomain and Get-ADObject, will help testers make sure the controlled domain user can create computer accounts (the MachineAccountQuota domain-level attribute needs to be set higher than 0. It is set to 10 by default).
The Impacket script addcomputer (Python) can be used to create a computer account, using the credentials of a domain user the the MachineAccountQuota domain-level attribute is set higher than 0 (10 by default).
Testers need to be aware that the MAQ attribute set to a non-zero value doesn't necessarily mean the users can create machine accounts. The right to add workstations to a domain can in fact be changed in the Group Policies. Group Policy Management Console (gpmc.msc) > Domain Controllers OU > Domain Controllers Policy > Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assigments > Add workstations to domain
MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory's Oddest Settings
The Most Dangerous User Right You (Probably) Have Never Heard Of - harmj0y
Active Directory: How to Prevent Authenticated Users from Joining Workstations to a Domain - TechNet Articles - United States (English) - TechNet Wiki