all the docs on the AP are here:https://docs.bmc.com/docs/display/public/bsa83/Creating+automation+principals
the AP will use a login vs the user impersonation for bsa to communicate w/ a target server. it can be a domain user, it can also be a local user. most customers use the AP so they can simplify auditing - they know that all access from bsa is performed under this account and they don't have to deal w/ local accounts on each server.
you don't need to use an AP to do stuff in the domain if you have an agent installed on a DC. the normal user mapping will work find there. when you talk to the DC w/ the normal mapping (upm) you'd be a domain user/admin and could do stuff in the domain.
Wow! Thank you for the expedient reply! Unfortunately I don't think we will ever get BSA installed on our DCs, as nice as that would be... I will dive into the documentation at the link provided and see what trouble I can get into.