It does require some elevated privileges. Joining the domain allows CPPM to authenticate 802.1x methods that have MSCHAPv2 as the inner-EAP method such as PEAP. This join procedure is done ONCE and only ONCE. We do NOT save or cache the account used to join the node to AD.
When you are done, you can use a typical service account with a non-expiring password when you ad AD as an authentication source. This account will not need the same elevated privilege level.