When installing Password Manager, you are prompted to specify two accounts: Password Manager Service account and application pool identity. Password Manager Service account is an account under which Password Manager Service runs. You can also use the Password Manager Service account as a domain management account (the account that is necessary to add managed domains when configuring the user and Helpdesk scopes). To do this, ensure that the Password Manager Service account has the minimum permissions required to successfully perform password management tasks in the domain. For more information, see Configuring Permissions for Domain Management Account.
Application pool identity is an account under which the application pool's worker process runs. The account you specify as the application pool identity will be used to run Password Manager Websites.
For Password Manager to run successfully, the accounts you specify when installing Password Manager must meet the following requirements:
If the App pool account is a domain user with minimal permission, make sure that <PM installation folder>\Web folder must be provided with full control permission set for the Application pool identity account.
Before you install Password Manager, make sure that the Password Manager Service account and application pool identity have the rights listed above.
If there is a requirement to have minimal permissions, please review: Assigning Minimum Permissions Required to Install and Run Password Manager.