Removing unconstrained delegation on AD machine accounts

sallowdk8600 · ‎Feb 01 2022

I've just started working for a company where I noticed that a bunch of our Windows servers have unconstrained delegation enabled on their AD machine account. I would like to either disable delegation altogether or limit the delegation to specific services/hosts. However, as I'm new to this environment (and there is no documentation) I'm not sure whether delegation is still needed for these servers. And if it is needed - to which servers and services is the delegation being used.

For now I want to focus on the machine accounts where delegation is enabled. How do I investigate this? I have searched for event id 4769 on the domain controllers, but I'm not able to interpret the logs properly. I was hoping that I would be able to see which servers and services the delegation is being used against? I mean; in AD I can see that a specific server is "trusted for delegation", but when the delegation is set to "any service", I need to find out against which services and servers it is being used.

Any help or insights would be greatly appreciated. Thanks!

Zulkernan · ‎Oct 03 2022

@sallowdk8600 I have the same issue and have a list of windows servers with trusted delegation enabled for any service, did you manage to find out against what specific services the delegation was being used for?

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Removing unconstrained delegation on AD machine accounts

Removing unconstrained delegation on AD machine accounts

Re: Removing unconstrained delegation on AD machine accounts