What do
you use this 'idmbind' account for?
If you are using it to establish trust to AD which is a one-time
operation, then by Microsoft's own requirements that account should
be a
member of Enterprise Admin group in the AD forest _or_ a member of
Domain Admins group in the forest root domain for AD forest.
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-entadmins
https://docs.microsoft.com/en-us/windows/security/identity-protection/access-control/active-directory-security-groups#bkmk-domainadmins
See details at
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2003/cc773178(v=ws.10)
----
To create a forest trust, the administrator creating the trust must
be a
member of the Domain Admins group (in the forest root domain) or the
Enterprise Admins group in Active Directory. Each trust is assigned a
password that the administrators in both forests must know. Members
of
Enterprise Admins in both forests can create the trusts in both
forests
at once and, in this scenario, a password that is cryptographically
random is automatically generated and written for both forests.
Members of the Incoming Forest Trust Builders group can create
one-way,
incoming forest trusts. For example, members of this group residing
in
Forest A can create a one-way, incoming forest trust from Forest B.
This
one-way, incoming forest trust allows users in Forest A to access
resources located in Forest B. Members of this group are granted the
permission Create Inbound Forest Trust on the forest root domain.
This
group has no default members.
----
As you can see, for one-way trust there is another group that could
be
used but we never tested whether those permissions would be enough.