Hi,
After installing Splunk 7.0.1 across the server environment with it running as a specified domain user account, in which for every server other than the DCs it runs fine with Local Admin rights. But this isn't really doable on a DC because a DC's local admin is actually the AD Domain Admin group, so added the required permissions to the DCs' GPO as provided by the Doco: https://docs.splunk.com/Documentation/Splunk/7.0.1/Installation/ChoosetheuserSplunkshouldrunas
But even with these rights configured, and forcing a GP update and checking rsop to confirm it has been applied, keep getting within the Event Viewer under System the Event Code 10016 with a source of: DistributedCOM.
The error message reads along the lines of:
The application specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {D63B10C5-BB46-4990-A94F-E40B9D520160} and APPID {9CA88EE3-ACB7-47C8-AFC4-AB702511C276} to the user SID {...} from address LocalHost (via LRPC) running in the application container not avilable SID. This security permission can be modified using Component Services administrative tool.
Looking at one MS link at they say to change the permissions in Register for the Keys and Component Services for the specified application Register states, otherwise to ignore these errors as they don't "adversely affect functionality"... This is not something the client wants to do on their DCs. Strange thing is I haven't had this issue before within other Splunk environments.
https://answers.microsoft.com/en-us/windows/forum/windows8_1-performance/error-event-id-10016-distri...
