1. It's fine. Though technically if you're only using it to come up with standards, you might set up a service account and give it just the permissions it requires (e.g. view server state, and a few others). We do that for example for the SCOM monitoring accounts.

2. It goes pretty much how you've described. Split things up into what you want to know, which for us is:

- Backups

- Integrity / Maintenance

- Capacity

- Agent Jobs

- Security

Write scripts to gather relevant detail remotely from each server each morning and stick them into a centralised server. Then build more scripts to report off of them as you find issues. Then you can build policies to evaluate, pick them up, and fix them (using EPMF - though I don't think highly of it, it's all there is).