All,
Per a request from our security team, I moved Splunk to LDAP only and blasted the local admin account. But ES is going crazy about orphanded objects now. Any recommendation?
I was thinking I can get away with creating a service account and reassign the objects there. Will that be fine?
All the ES searches run as admin, which is why everything is broken now 🙂 You are correct that it is fine to reassign all the objects to a service account. See http://docs.splunk.com/Documentation/ES/5.0.0/Install/ConfigureUsersRoles