I did not setup the TACACS. I want to disable the AD administrator account, but it appears to be needed by ACS.
I changed the administrator PW and TACACS stops working. The ACS windows services all start using the administrator acount. If I change them to use another domain admin account they start, but disabling administrator again breaks TACACS.
I am not sure your point.
Again, your windows ACS services are run by Windows AD admin account. ACS will use that account to login to AD for user authentication. If you disable the Window AD admin account or change its password, ACS could not login to AD to authenticate the user. That's probably the reason that TACACS authentication was failed after you changed windows AD admin account. In ACS External User DB configuration, you should see the related Windows AD.