Choose the Windows user Splunk Enterprise should run as

It is no longer possible to choose the Windows user that Splunk Enterprise runs as.

As of version 10.2, running Splunk Enterprise on Windows as either the Local System user or a domain user is no longer possible. Splunk implemented this change to improve security and reduce complexity overall when installing and using Splunk Enterprise on Windows. See Deprecated and removed in the Splunk Enterprise version 10.2 Release Notes.

Read on to understand how these changes affect you and what you must do to maintain your existing user configuration during an upgrade. In general, if you currently run Splunk Enterprise in a local system or domain user configuration, you can continue using this configuration by following the instructions in this topic.

Splunk has changed how you install Splunk Enterprise on Windows

These changes mean that you must adapt how you install or upgrade Splunk Enterprise on Windows.

  • There is no longer an option to install Splunk Enterprise as a domain user. If you want to collect data from a Windows machine using a domain user, install a Universal Forwarder instead. The UF lets you choose a domain user or select the Local System user. See No Content found for /db/organizations/splunk/repositories/splunk-10_2/content/documents/DataManagement/Forwarder/Forwarder_Forwarder/InstallaWindowsuniversalforwarderfromaninstaller/InstallaWindowsuniversalforwarderfromaninstaller.dita.
    Note: It is possible to run both a Universal Forwarder and a Splunk Enterprise indexer or search head on the same machine, with the UF collecting the data and sending it to the local Splunk Enterprise instance.

  • When you install or upgrade Splunk Enterprise to versions 10.2 and higher, it runs as the unprivileged local service account NT SERVICE\Splunkd. This happens when you either use the INSTALL_AS_ADMINISTRATOR=0 argument to the msiexec installer, or do not specify the argument

  • To continue running Splunk Enterprise as the Local System user during an installation or upgrade, include the INSTALL_AS_ADMINISTRATOR=1 argument. For example, to perform a quiet installation and run Splunk Enterprise as the local administrator, run the following command: 

    msiexec.exe /i "splunk.msi" INSTALL_AS_ADMINISTRATOR=1 /qn
  • If Splunk Enterprise was installed to run as a domain user, the upgrade does not remove that domain user from the local Administrators group, but provides the NT SERVICE\Splunkd user access to those resources.

User limitations for running Splunk Enterprise on Windows

These changes introduce limitations to how you can run Splunk Enterprise on Windows.

  • When Splunk Enterprise runs as the NT SERVICE\Splunkd user, the software cannot access network resources that require domain authentication. This is because the NT SERVICE\Splunkd user is a local service user and lacks the following:

    • Access Control List (ACL) permissions on network shares

    • The network privileges required to collect data remotely from other machines using Windows Management Instrumentation (WMI)

      Alternative: Install the Splunk Universal forwarder on Windows machines where you need to use domain users or local administrative access. The Universal Forwarder can still be installed as the local administrator or a domain user.

  • For Splunk Enterprise installations where the Splunk database directory is separate from the SPLUNK_HOME directory, you must grant the NT SERVICE\Splunkd user appropriate ACL permissions on the database directory tree. Failure to do so prevents Splunk Enterprise from accessing its databases. Use the icacls command-line utility in Windows to set the ACL permissions.

    Example:
    icacls {path-to-db-tree} /grant "NT SERVICE\Splunkd:(OI)(CI)(F)" /t /c

    where:

    • {path-to-db-tree} - path to the Splunk database directory

    • (OI) - Object Inherit permissions that apply to files and subdirectories.

    • (CI) - Container Inherit permissions that apply to subdirectories.

    • (F) - Assign "Full control" permissions to the resource

    • /t - Applies permissions to the target directory and all its subdirectories and files. Without /t, the command applies permissions to the target directory only.

    • /c - Instructs the command to continue on access denied errors. This option attempts to apply the permissions to all files and subdirectories in {path-to-db-tree}. If it encounters an access denied error on any file or folder, it skips that file or folder and continues processing the remaining items in the path.