Yes- it sounds like you are on track. Response from our admins:
"yes we do strip logon as a service rights for anything not specified by us. The [ServiceAccount] account has these rights, if they can sub that user."
Can the SAP Host Agent use one of our existing service accounts, rather than having it create it's own user on the servers? Or is this going to get complicated?
