I'm getting push back on installing UFs on domain controllers and I believe installing in low privilege mode is the solution which will meet windows administrators concerns. My only issue is that I haven't been able to find a document that states the exact limitations of running the UF in low privilege mode, other than this article.
Does anyone know if there is a document on what a low privilege UF can't do?
Will this let me run Powershell commands?
A low privileged user on windows will not be able to access the windows event logs without some additional configuration in your AD audit settings (and potentially a significant amount of pain)
An alternative to this is to run a collector to perform remote log collection, however this is only marginally better, because you have now given a remote system a privileged logon to the domain controllers.
Its only right to point out that this is a limitation of windows, rather than splunk, but my advice is to keep up the fight.
The value (and speed/volume advantage over remote wmi) of a local installed forwarder with sufficient rights is worth it over the headaches in the future.
If remote deployment is a concern (or the ability to do so) I would suggest locally deployed apps (ie no deployment server) over the alternatives - or even better a separate DS just to manage your sensitive deployment clients.