Getting Data In

Do we need to assign domain admin for a service account for Universal forwarder

aamer86
Path Finder

I am setting up universal forwarders to run using service account and in Splunk documentations
https://docs.splunk.com/Documentation/Splunk/8.0.4/Installation/PrepareyourWindowsnetworkforaSplunki...

the GPO section states that we need to give the account domain admin which doesnt make sense

Labels (2)
0 Karma

saravanan90
Contributor

Splunk Forwarder can be run with normal domain account. Admin privileges are not necessary. Incase if you are collecting windows event logs, provide access to the domain account through GPO policies.

0 Karma

richgalloway
SplunkTrust
SplunkTrust

The URL you cited explains the reason: "The low-level access requirements for Splunk Enterprise operations necessitate these changes if you want to run Splunk Enterprise as a user other than the Local System user."
That raises the question, why are you running universal forwarders under a domain account instead of a local account?

---
If this reply helps you, Karma would be appreciated.
0 Karma
Get Updates on the Splunk Community!

Super Optimize your Splunk Stats Searches: Unlocking the Power of tstats, TERM, and ...

By Martin Hettervik, Senior Consultant and Team Leader at Accelerate at Iver, Splunk MVPThe stats command is ...

How Splunk Observability Cloud Prevented a Major Payment Crisis in Minutes

Your bank's payment processing system is humming along during a busy afternoon, handling millions in hourly ...

Index This | What’s a riddle wrapped in an enigma?

September 2025 Edition Hayyy Splunk Education Enthusiasts and the Eternally Curious!  We’re back with this ...