If the computer is prestaged, then the user performing the installation (or the credentials in the Unattend file for the domain join) needs the appropriate Join Domain rights.

The following section outlines the minimal set of permissions that are necessary to perform common management tasks using the server properties pages.Membership in both the Enterprise Admins group and the Domain Admins group of the root domain is the minimum required to complete this procedure.After you complete this procedure, domain users automatically enroll a user certificate when Group Policy is refreshed.It is often useful to delegate the management of a Windows Deployment Services server to an account other than the domain administrator or enterprise administrator (and grant these general permissions to the delegated account).

The delegated administrator account should be a local and domain administrator as specified above.

If security is the primary concern for you, we recommend that you use physical media (for example, that contains a discover image) to boot each computer.