The account must be part of the Domain Users group of the domain that is used to authenticate users. It must have a password that does not expire (or must be reconfigured whenever the password is changed).
The account must be allowed to connect to the Domain Controller(s) but does not require further access to resources in the domain.