There will be a KB on this (in the queue to get out of the door:) ) shortly but it's something I've ran into several times and is worth an explanation.
When creating new Run As accounts of type Action Account you may (or may not) notice that the UI doesn't verify any of the account information you enter. You can therefore enter a user name, password or domain which doesn't exist or is wrong. Why? Because the Action Account may possible exist in another forest or individual SAM. Hence why the UI doesn't attempt verify the account.
It is therefore important if assigning new action accounts, as a best practice, to verify the account exists and the credentials tested before assigning the Action Account to the Default Action Account profile.
If you do end up assigning a bad Action Account to an agent you'lll soon receive and alert to the fact in the OpsMgr Console. However the agent does attempt to use the bad account and of course fails, but will not continue to use the old Action account if still available. So the situation will need to be corrected.
Just a heads-up. This also does affect Windows Account type too.