A few customers have been emailing us. Essentially they want to be able to "lock down" AGPM as a central source of the GP truth and not allow it to have too much access...which is something I always advocate...if it doesnt need Domain Admin access then dont give it Domain Admin access.
So heres what AGPM needs to operate:
Aside from that, thats it. If you want to support child domains with a single AGPM instance then you also need to give the service account similar access to what the GPO Creator Owners group provides and access to any existing GPO's you want to manage. Note that you cannot add an account from one domain into a global group in a child domain. Aside from that its now running least privilege and you can take away Domain Admins
Updated: 10th Dec. After finding a bug in this approach I added the Backup Operators group to this process. It appears that when you try to delete a GPO from AGPM, it tries to restore the GPO object ownership back to the defaults of "Domain Admins". When its running it least privilege it no longer has the permissions to do this. The only other group than Domain Admins with this permission is Backup Operators. Thus its necessary to also grant the service account this group access.