Scanning with domain admin or another account that is local admin to pc's?

Hi, were new to Lansweeper, just got our feet off the ground this week and we love it so far. WAY faster than Spiceworks! We licenced 1500 assets and I configured it to use SQL Server 2016 and IIS 10.

One of the concerns we had with scanning is what kind of account to use in order to obtain all the good detail for our domain joined machines. The easy route, what we are doing now, is using a domain administrator account, and since our machines are on the domain, they have access to all of the bits and pieces like administrative shares, WMI, DCOM, etc... So this is working. The security concern is that this domain admin account is being sprayed out to every machine to scan.

Another theory we had was use a regular domain account that had read only access to AD, so that part was still readable, but used a GPO to make this account local admin on all of our workstations. My concern with that is if the account is ever compromized on one machine, the bad actor can then use this account to jump around from machine to machine. Its the whole reason we use Microsoft LAPS to randomize and uniquely configure each PC's local administrator password.

Third option would be the LsAgent. Now we are deploying this to laptop and tablet class machines, since they can roam. But we have so many other agents for other things, the concern is adding more "stuff" to end users machines, so we lean towards agentless scanning.

What's your opinion for best practices? Right now I'm leaning towards a special unique domain administrator account with a very long passphrase, like 35 or more characters, and a strict policy to change that in a timely manner. It would be very hard for a bad actor to brute force a password of that length.

Curious to hear what you all do!