Thanks for the quick response. One thing I love about these forums!
Saying that you need admin rights or domain admin rights is fair enough but I know my AD guys are going to push back and ask what actual permissions do I need. And I have to say, I probably agree with them.
It's too easy (and I've seen it time and time again) for software suppliers etc. to simply state you need admin or domain admin for their software to work. Why? Because admin is essentialy access everything and it just works. Why would you not just ack for that?
Security wise, we're slowly moving to a position where admins should not even be logging on to workstation or servers using admin accounts because of various reasons, not withstanding the whole "Pass the Hash" issue. And the same is true of applications and services. Compromise an application or service running as Admin and you essentially own the machine. Hence the whole reason for service accounts to try and limit such possibilities.
Do you know if there is anything in relation to SEP that is more detailed in terms of what permisions it requires, other than just 'Admin'.