Yes I have always understood this. I need to know if it can be a local account like MyPC\qvadmin and be added to Local Administrators or if it HAS to be on the domain for which users will log in to AccessPoint with, so like MyDomain\qvadmin.
Requiring he service account to be a full administrator mostly defeats the purpose of running under a separate account. There should be a list comprising of the minimal set of rights actually needed. Besides access to %ProgramData%\QlikTech it needs to be able to use HTTP.SYS to listen to the various TCP ports, but I don't know what user right lets one do that. Anything else?