Creating a service account to run the Active Directory Connector

The service account that will run the Active Directory Connector will need admin privileges on the server where the connector is installed.

If the Active Directory Connector is installed on a domain controller the service account must be a member of the Domain Admins group
If the Active directory Connector is installed on a member server the service account must be a member of the server's Administrators group.

Creating a service account that is a domain admin - used on a domain controller

Open Active Directory Users and Computers.
Create a new user. Use a descriptive name like PasswordBossService.
Create a strong password for the account and clear the checkbox so a password change is not required. You may also want to check the box for "Password never expires".
Save the new password in Password Boss.
Edit the service account in Active Directory User and Computers.
On the Member Of tab, add the Domain Admins group and save the account.

Creating a service account that is an administrator on the member server

Open Users and Groups.
Create a new user. Use a descriptive name like PasswordBossService.
Create a strong password for the account and clear the checkbox so a password change is not required. You may also want to check the box for "Password never expires".
Save the new password in Password Boss.
Edit the user account and on the Member Of tab add the Administrators group and save the service account.
Open Active Directory Users and Computers and right-click the domain and select Delegate Control.
Add your service account to the User or Groups page.
On the Tasks to Delegate page select Read all user information.
Finish the wizard
Install AD Lightweight Directory Service as a Role on your member server.

Open Powershell or a command prompt and run the following commands

dsacls "CN=Deleted Objects,<Your_Base_DN_here>" /takeownership

dsacls "CN=Deleted Objects,<Your_Base_DN_here>" /G <Domain\PasswordBossService>:LCRP