The Adaxes service account (specified during the software installation) only requires the permissions to publish Adaxes in AD. For details on how to grant the permissions, have a look at section How do I grant permissions to publish Adaxes service of our installation guide: https://www.adaxes.com/help/InstallationGuide/#grant-permissions-to-publish-adaxes-service.
At the same time, all operations in a managed domain are performed using the account specified for the domain in Adaxes. The account must have all the native AD permissions for the operations you will be performing in Adaxes. For example, if you are only going to be resetting user passwords in an OU, you can only grant the account native AD permissions to see the OU, users in it and reset passwords of the users. It is recommended that the account is a member of the BUILTIN\Administrators group, but it is not a requirement.
It is also not recommended to use the Adaxes service account for managed domains. For information on how to check/change the account for a managed domain, see https://www.adaxes.com/help/ChangeManagedDomainServiceAccount.