i @jonwick, I usually install Universal Forwarder as a SYSTEM_LOCAL, but, as you can read at https://docs.splunk.com/Documentation/Forwarder/8.0.6/Forwarder/InstallaWindowsuniversalforwarderfromaninstaller#Choose_the_Windows_user_that_the_universal_forwarder_should_run_as , you can install it also as a Domain Account. The reasons are: Read Event Logs remotely Collect performance counters remotely, Read network shares for log files, Access the Active Directory schema, using Active Directory monitoring. If you install as a domain user, you can choose whether or not the user has administrative privileges on the local machine. If you choose not to give the user administrative privileges, the universal forwarder enables "low-privilege" mode. Ciao. Giuseppe
... View more