Forum Discussion

Curious_Kevin16's avatar
Curious_Kevin16
Iron Contributor
Jul 25, 2024

Admin accounts which do not have the flag "This account is sensitive and cannot be delegated"

Hi AD Brain trust,

 

I'm currently working on a security assessment for our internal AD environment. One of the item in the report is - Presence of Admin accounts which do not have the flag "This account is sensitive and cannot be delegated": 6

 

I'm struggling to understand the consequences of setting the flag for admin accounts. If anyone can shed some lights on the implications/recommendations to resolve this detection would be greatly appreciated !

 

Thank you!

Active Directory
management
powershell
security
Windows Server

1 Reply

Sort By
  • Allan_Hare's avatar
    Allan_Hare
    Copper Contributor
    Jul 30, 2024

    Curious_Kevin16 

     

    Its a checkbox you can set on the AD user.

     

    The general idea is not to allow other users to be able to use the permissions of your admin user.

    There is a MS article that gives some more detail.

    https://learn.microsoft.com/en-us/windows-server/identity/ad-ds/manage/how-to-configure-protected-accounts

     

Resources