Take a look here (excerpt on choosing the Windows user below):
https://docs.splunk.com/Documentation/Forwarder/6.5.3/Forwarder/InstallaWindowsuniversalforwarderfro...

Choose the Windows user that the universal forwarder should run as
When you install the universal forwarder, you can select the Windows user that the forwarder uses to get data. You have two choices.

Local System. If you specify the Local System user during the installation process, the universal forwarder collects any kind of data that is available on the local host. It cannot collect data from other hosts.
Domain account. This option installs the forwarder as the Windows user you specify. The forwarder has the permissions that have been assigned to that user, and collects data that the user has read access to. It does not collect data from resources that the Windows user does not have access to. If you need to collect data from those resources, you must give the Windows user access to those resources.
Install the forwarder as a Domain account to do any of the following:

Read Event Logs remotely
Collect performance counters remotely
Read network shares for log files
Access the Active Directory schema, using Active Directory monitoring
Choose and configure the user that the universal forwarder should run as before installing the forwarder for remote Windows data collection. If you do not, installation can fail.

If you install as a domain user, specify a user that has access to the data you want to monitor. See Choose the Windows user Splunk should run as in the Splunk Enterprise Installation Manual for concepts and procedures on the user requirements that must be in place before you collect remote Windows data.

If you install as a domain user, you can choose whether or not the user has administrative privileges on the local machine. If you choose not to give the user administrative privileges, the universal forwarder enables "low-privilege" mode. See Install the universal forwarder in low-privilege mode.