Resolution
Why does the AppManager Service account need the 'logon locally' right?
fact
AppManager 5.x
fact
NetIQ AppManager Service Accounts
fix
This is a basic NT Operating System permission issue. The domain admin account is necessary since (especially in the case of agentinstall) users will be remotely affecting the how the server operates. Agentinstall requires the Management Server to remotely access the remote server and create services, start the services and execute the installation tasks on that agent server. An account can only do that if it has "log on locally" permissions.
The "log on as service" permission needs to be in effect to allow for the service to even be started in the first place to carry out these administrative tasks locally on that server. If the NT administrator account does not have domain admin privileges to another server it will not be able to make the necessary registry changes or start remote processes on another machine. Microsoft requires this functionality, not Netiq.
note
Log on Locally
Allows a user to log on at the computer's keyboard. By default, this right is granted to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators.
note
Log on as a service
Allows a security principal to log on as a service, as a way of establishing a security context. The LocalSystem account always retains the right to log on as a service. Any service that runs under a separate account must be granted this right. By default, this right is not granted to anyone.