Removing unconstrained delegation on AD machine accounts

Regular Visitor

I've just started working for a company where I noticed that a bunch of our Windows servers have unconstrained delegation enabled on their AD machine account. I would like to either disable delegation altogether or limit the delegation to specific services/hosts. However, as I'm new to this environment (and there is no documentation) I'm not sure whether delegation is still needed for these servers. And if it is needed - to which servers and services is the delegation being used.

 

For now I want to focus on the machine accounts where delegation is enabled. How do I investigate this? I have searched for event id 4769 on the domain controllers, but I'm not able to interpret the logs properly. I was hoping that I would be able to see which servers and services the delegation is being used against? I mean; in AD I can see that a specific server is "trusted for delegation", but when the delegation is set to "any service", I need to find out against which services and servers it is being used.

Any help or insights would be greatly appreciated. Thanks!

1 Reply

@sallowdk8600 I have the same issue and have a list of windows servers with trusted delegation enabled for any service, did you manage to find out against what specific services the delegation was being used for?