In a test environment, use the Administrator account until you get the Active Directory driver working. Then create an administrative account, which has the proper rights (including restricted rights), that the Active Directory driver can use exclusively to authenticate to Active Directory.
Doing this keeps the Identity Manager administrative account insulated from changes to other administrative accounts. Advantages to this design are:
This account name and password are stored in the driver configuration. Therefore, you must change this password whenever the account password changes. If you change the account password without updating the driver configuration, authentication fails the next time the driver is restarted.
At a minimum, this account must have Read and Replicating Directory Changes rights at the root of the domain for the publisher channel to operate. You will also need Write rights to any object modified by the subscriber channel. Write rights can be restricted to the containers and attributes that are written by the subscriber channel.
To instrument Exchange mailboxes, your Identity Manager account must have "Act as part of the Operating System" permission for the logon account.
Windows 2003 requires that you have additional rights in order to see deleted objects. See Changing Permissions on the CN=Deleted Objects Container.