Thanks!
In case anyone searches this, regarding adding groups, turns out the service account also needed to be granted read rights to the Users and Computers folders in AD. Once that was done (+ the IIS changes mentioned earlier in this thread) I could add users and groups without issue.