Removing unconstrained delegation on AD machine accounts

%3CLINGO-SUB%20id%3D%22lingo-sub-3097921%22%20slang%3D%22en-US%22%3ERemoving%20unconstrained%20delegation%20on%20AD%20machine%20accounts%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3097921%22%20slang%3D%22en-US%22%3E%3CP%20class%3D%22%22%3EI've%20just%20started%20working%20for%20a%20company%20where%20I%20noticed%20that%20a%20bunch%20of%20our%20Windows%20servers%20have%20unconstrained%20delegation%20enabled%20on%20their%20AD%20machine%20account.%20I%20would%20like%20to%20either%20disable%20delegation%20altogether%20or%20limit%20the%20delegation%20to%20specific%20services%2Fhosts.%20However%2C%20as%20I'm%20new%20to%20this%20environment%20(and%20there%20is%20no%20documentation)%20I'm%20not%20sure%20whether%20delegation%20is%20still%20needed%20for%20these%20servers.%20And%20if%20it%20is%20needed%20-%20to%20which%20servers%20and%20services%20is%20the%20delegation%20being%20used.%3C%2FP%3E%3CP%20class%3D%22%22%3E%26nbsp%3B%3C%2FP%3E%3CP%20class%3D%22%22%3EFor%20now%20I%20want%20to%20focus%20on%20the%20machine%20accounts%20where%20delegation%20is%20enabled.%20How%20do%20I%20investigate%20this%3F%20I%20have%20searched%20for%20event%20id%204769%20on%20the%20domain%20controllers%2C%20but%20I'm%20not%20able%20to%20interpret%20the%20logs%20properly.%20I%20was%20hoping%20that%20I%20would%20be%20able%20to%20see%20which%20servers%20and%20services%20the%20delegation%20is%20being%20used%20against%3F%20I%20mean%3B%20in%20AD%20I%20can%20see%20that%20a%20specific%20server%20is%20%22trusted%20for%20delegation%22%2C%20but%20when%20the%20delegation%20is%20set%20to%20%22any%20service%22%2C%20I%20need%20to%20find%20out%20against%20which%20services%20and%20servers%20it%20is%20being%20used.%3C%2FP%3E%3CP%20class%3D%22%22%3EAny%20help%20or%20insights%20would%20be%20greatly%20appreciated.%20Thanks!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3097921%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EActive%20Directory%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EWindows%20Server%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E
Regular Visitor

I've just started working for a company where I noticed that a bunch of our Windows servers have unconstrained delegation enabled on their AD machine account. I would like to either disable delegation altogether or limit the delegation to specific services/hosts. However, as I'm new to this environment (and there is no documentation) I'm not sure whether delegation is still needed for these servers. And if it is needed - to which servers and services is the delegation being used.

 

For now I want to focus on the machine accounts where delegation is enabled. How do I investigate this? I have searched for event id 4769 on the domain controllers, but I'm not able to interpret the logs properly. I was hoping that I would be able to see which servers and services the delegation is being used against? I mean; in AD I can see that a specific server is "trusted for delegation", but when the delegation is set to "any service", I need to find out against which services and servers it is being used.

Any help or insights would be greatly appreciated. Thanks!

0 Replies