One possible fix, on the domain controllers, temporarily switch the user that the universal forwarder runs as, to a domain user (domain\user1, for example), restart Splunk, let it run for a few minutes, reset the user that Splunk runs as back to Local System and you should start seeing the Splunk_TA_windows ADMon stanza start showing. Also, in the Splunk_TA_windows/local/inputs.conf, make sure that you set ADMon to enabled. In WinEventLog://Security, make sure you set evt_resolve_ad_obj=1, so the GUIDs get translated in Splunk.
... View more