+1 on the do not use Administrator accounts.
I would create a special service account with a very strong password so you can disable password renewal, expiration and password lockout on the account to prevent it from expiring/locking.
Then on the rights, you basically (only) need read access to the fields and records that you use in your authentication. As Tim said, the standard user template is a good start that will work in most cases, unless access has been locked down in your specific Active Directory.
You can easily test what access you have with an LDAP Browser, like the browser inside Clearpass.