Recently I was saddled with standing up Zenoss for our enterprise.  We're running about 1200 servers, so manually touching each box was not an option.  We use LANDesk for a lot of automated installs and patching - more about that later.

The steps below may not necessarily have to be completed in this order - it's just the way I did it.

Setup a standard AD user.  We want to do this so there's minimal security exposure.  Call the account what ever you want "domain/zenoss" for our examples.
Make the following local groups accessible by your zenoss account.
Distributed COM Users
Performance Monitor Users
Event Log Readers (which doesn't exist on pre-2008 machines)

Here's the Powershell script I used to setup access to these local groups:

# Created to add Active Directory account to local groups
# Must be run from elevated prompt, with permissions on the remote machine(s).

# Create txt file should contain the names of the machines that need the account added, one per line.
# Script will process machines line by line.
foreach($i in (gc c:\tmp\computers.txt)){

# Add the user to the first group
$objGroup=[ADSI]("WinNT://$i/Distributed COM Users")

# Add the user to the second group
$objGroup=[ADSI]("WinNT://$i/Performance Monitor Users")

# Add the user to the third group - Group doesn't exist on < Server 2008
#$objGroup=[ADSI]("WinNT://$i/Event Log Readers")


Setup security on the machines namespace so our domain/zenoss account can access it
The default namespace for zenoss is:  root/cimv2
Here's the Powershell script:

#Grant account defined below (line 11) access to WMI Namespace
#Has to be run as account with permissions on remote machine

function get-sid
Param (
$ID = new-object System.Security.Principal.NTAccount($DSIdentity)
return $ID.Translate( [System.Security.Principal.SecurityIdentifier] ).toString()
$sid = get-sid "domain\zenoss"
$SDDL = "A;;CCWP;;;$sid"
$DCOMSDDL = "A;;CCDCRP;;;$sid"
$computers = Get-Content "c:\tmp\computers.txt"
foreach ($strcomputer in $computers)
    $Reg = [WMIClass]"\\$strcomputer\root\default:StdRegProv"
    $DCOM = $Reg.GetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction").uValue
    $security = Get-WmiObject -ComputerName $strcomputer -Namespace root/cimv2 -Class __SystemSecurity
    $converter = new-object Win32_SecurityDescriptorHelper
    $binarySD = @($null)
    $result = $security.PsBase.InvokeMethod("GetSD",$binarySD)
    $outsddl = $converter.BinarySDToSDDL($binarySD[0])
    $outDCOMSDDL = $converter.BinarySDToSDDL($DCOM)
    $newSDDL = $outsddl.SDDL += "(" + $SDDL + ")"
    $newDCOMSDDL = $outDCOMSDDL.SDDL += "(" + $DCOMSDDL + ")"
    $WMIbinarySD = $converter.SDDLToBinarySD($newSDDL)
    $WMIconvertedPermissions = ,$WMIbinarySD.BinarySD
    $DCOMbinarySD = $converter.SDDLToBinarySD($newDCOMSDDL)
    $DCOMconvertedPermissions = ,$DCOMbinarySD.BinarySD
    $result = $security.PsBase.InvokeMethod("SetSD",$WMIconvertedPermissions)
    $result = $Reg.SetBinaryValue(2147483650,"software\microsoft\ole","MachineLaunchRestriction", $DCOMbinarySD.binarySD)

Get the SID for our zenoss account.

#Provide AD User get SID
$objUser = New-Object System.Security.Principal.NTAccount("domain", "zenoss")
 $strSID = $objUser.Translate([System.Security.Principal.SecurityIdentifier])
Modify the Service Control Manager to allow access to the zenoss AD account.
This command can be run from an elevated command line, or through Powershell

sc sdset scmanager "D:(A;;CC;;;AU)(A;;CCLCRPRC;;;IU)
In step two the script plows through a txt file that processes each computer listed on each line.  For the other scripts I ran them on each machine using LANDesk.  You can probably edit those scripts to process a text file as well.

That's what got me off the ground monitoring the machines using Zenoss.  Hopefully this is helpful for you.  Watch the line breaks when copy the scripts.