Yes, all AD users have LDAP read access.
Some applications like NextCloud, Roundcube, Webtop, ejabberd and Server Manager (until next update) require to access LDAP directly to read users and groups information. They cannot use the machine account credentials, like those based on PAM/NSS/SSSD (ie postfix, dovecot, samba...), so they require some other user credentials.
To join an AD domain administrative credentials are required. It is a one time action. Provided credentials are forgotten immediately and never used to browse LDAP.
Could you open a root shell and paste here the output of
A similar (but different) problem