The simple existence of the account being there should be sufficient. You shouldn't need any privs. I use the same account as my casper install account as it's an AD-based service account.

Excellent. Thanks.

Would that service account need JOIN privileges if you were trying to do authenticate binds to AD? It depends on your AD security settings.

- Justin

In most environments, AD accounts need specific permission to create the computer object when joining. Most environments will require a pre-created computer object before binding. Best practice is to allow a particular service account to create the object when joining, but to limit it to particular OUs and not the entire directory.

I believe OP was simply asking about the ability to do the user info lookups required so that AD users can log into the JSS.