Once again, I find myself in a discussion of setting up the FIM Active Directory service accounts to only have the minimum permissions needed for the job.
I won this time (again) - and I'm now finding my self creating PowerShell scripts to make sure that the service account used for the FIM Active Directory MA only has exactly the permissions needed for it to be able do it's work.
I'm using DSACLS and PowerShell for the script/job. If you're not to familiar with either above, you can find very good inspiration in this blog by Paul Williams.
And remember "To script or NOT to script, that is a stupid question"; now go and restrict your service accounts in FIM..!