When configuring ISE-PIC Active Directory Agents on my ISE server, I have two options: 

1. I can tell it to either "Deploy New Agent", which will automatically push and install the agent software to the target server. 

2. I can "Register Existing Agent", which requires that I have already manually installed the agent software, and I am just registering it now on the ISE side. 

My question is: what is the way that the required User Name and Password values are used in the second manual deployment scenario?  The only documentation only has one shared section for both deployment models that describes those fields, and it sounds like those values are really only needed for the automatic deployment model:

"ISE-PIC uses these credentials in order to install the agent for you." (https://www.cisco.com/c/en/us/td/docs/security/ise/2-2/pic_admin_guide/PIC_admin/PIC_admin_chapter_011.html#reference_637B4FC473F247249AD42888125FA5D0)

But the interface still requires that they be entered even for a manual deployment model.  Why?  And what are the permission needs of the account used (if any)?

Also, when you get to the next step as well, of associating a domain controller with the agent, there is an additional User Name and Password field.  How is this one used when only monitoring the DC that the agent is actually installed on, and what are its permission requirements?