Our services_BES is nothing more then a domain users account as best practice dictates that that account should not be a domain admin account, but be given permissions at the exchange level.
We implemented the patch in an office of 300 people with 30 BES users and never had to make a single change to AD afterwards (quite suprisingly actually). I knew BES was going to be ok, but had no idea if something else had gotten confugured along that way that was going to break.
but then again, maybe no ones noticed yet