Can I restrict the EventSentryADMonitor account's Domain Admin

For additional security you can restrict the EventSentryADMonitor account to only be allowed to be used on the EventSentry server and domain controllers, and also block it from performing any sensitive functions (RDP, console, service, batch job, etc) on domain controllers.

In Active Directory, select the EventSentryADMonitor account, go to the Accounts tab, click the "Log On To" button and add the EventSentry server as well as each domain controller here. Then, edit your domain controller GPO (usually called "Default Domain Controller Policy") under Computer Configuration > Policies > Security Settings > Local Policies > User Rights Assignment. Add the EventSentryADMonitor account to the following items:

Deny log on locally
Deny log on as a batch job
Deny log on through Remote Desktop Services

Restart the EventSentryADMonitor service after making these changes to ensure the service still starts up successfully. If the service no longer starts up successfully, then ensure that the EventSentry server is listed in the "Log On To" section of the EventSentryADMonitor account properties in Active Directory, and that the only Deny entries set in Group Policy are the ones listed above.