PRACTITIONER GUIDE | IDENTITY SECURITY
Practitioner GuideUpdated 11 min read

Kerberos Delegation Audit: How to Find and Remediate Unconstrained and Constrained Delegation Risks in Active Directory

TrustedForDelegation
AD attribute flag set on all unconstrained delegation accounts
3 types
Delegation types: unconstrained, constrained, resource-based constrained
Protected Users
Group membership that prevents any delegation of privileged accounts

SponsoredRetool

Retool's new app builder is where AI-generated code ships safely

Building apps with AI is easy. Getting them to production safely is another story.

Start building for free today

Kerberos delegation misconfigurations are in almost every Active Directory environment of any age, because enabling delegation was historically the path of least resistance when setting up multi-tier applications. The risks were not widely understood. Unconstrained delegation is the most dangerous type: a compromised service running on an unconstrained delegation host captures Kerberos tickets from any user who authenticates to it -- and domain controllers authenticate to many hosts, meaning unconstrained delegation hosts commonly accumulate DC tickets. This guide covers how to enumerate all three delegation types, what attack is enabled by each, and how to remediate or contain each risk.

Enumerate All Delegation Types with PowerShell

Find all computer accounts with unconstrained delegation (excluding DCs, which legitimately have it): Get-ADComputer -Filter { TrustedForDelegation -eq $true } -Properties TrustedForDelegation, ServicePrincipalName | Where-Object { $_.DistinguishedName -notlike 'Domain Controllers' } | Select-Object Name, ServicePrincipalName. Find all user accounts with unconstrained delegation (always suspicious -- user accounts should never have this): Get-ADUser -Filter { TrustedForDelegation -eq $true } -Properties TrustedForDelegation | Select-Object SamAccountName, DistinguishedName. Find constrained delegation: Get-ADObject -Filter { msDS-AllowedToDelegateTo -like '' } -Properties msDS-AllowedToDelegateTo, SamAccountName | Select-Object SamAccountName, 'msDS-AllowedToDelegateTo'. Find resource-based constrained delegation (RBCD): Get-ADObject -Filter { 'msDS-AllowedToActOnBehalfOfOtherIdentity' -like '' } -Properties 'msDS-AllowedToActOnBehalfOfOtherIdentity', SamAccountName | Select-Object SamAccountName, 'msDS-AllowedToActOnBehalfOfOtherIdentity'. BloodHound also enumerates all delegation types -- query 'Find computers with Unconstrained Delegation' and 'Find accounts with Constrained Delegation' in the built-in query set.

Unconstrained Delegation: The Highest Risk

Any computer account with TrustedForDelegation=True and any user account with the same setting represents an unconstrained delegation risk. The Printer Bug (PrinterBug / SpoolSample) attack exploits this: an attacker forces a domain controller to authenticate to an unconstrained delegation host by triggering the MS-RPRN or MS-EFSRPC interface. The DC's machine ticket arrives at the unconstrained delegation host; Rubeus can extract it and use it to perform a DCSync. Remediation for computer accounts: migrate the application using this account to constrained delegation instead. If migration is not immediately possible, add the computer account to a monitored group and alert on any Kerberos ticket extraction (Event ID 4769 with Service Name ending in $ from that host). Remediation for user accounts: there is almost never a legitimate reason for a user account to have unconstrained delegation. Remove the flag immediately via Active Directory Users and Computers (Delegation tab, select 'Do not trust this user for delegation') or PowerShell: Set-ADUser username -TrustedForDelegation $false.

Free daily briefing

Briefings like this, every morning before 9am.

Threat intel, active CVEs, and campaign alerts, distilled for practitioners. 50,000+ subscribers. No noise.

Constrained Delegation: Scope Matters

Constrained delegation limits which specific services a service account can impersonate users to (e.g., only the SQL Server MSSQLSvc SPNs, not any service in the domain). The risk is lower than unconstrained delegation but still real if the constrained delegation target includes high-value services. Review the msDS-AllowedToDelegateTo values: if a service account has constrained delegation to 'LDAP/dc01.domain.com', an attacker who compromises that service account can impersonate any user to the DC's LDAP service and perform DCSync without domain admin credentials. Audit the constrained delegation target list and ask: does this service account actually need to delegate to the LDAP service on the DC? Most web and application accounts need database SPNs (MSSQLSvc), not DC SPNs. Remove delegation targets that are not required by the application. Also check whether the account is configured for 'Use any authentication protocol' (Protocol Transition) vs. 'Use Kerberos only' -- Protocol Transition is more dangerous as it allows transitioning from non-Kerberos authentication to Kerberos delegation and should only be used when the application specifically requires it.

Resource-Based Constrained Delegation (RBCD) Abuse

RBCD allows a target resource to control which principals can delegate to it by setting msDS-AllowedToActOnBehalfOfOtherIdentity on the target computer object. If an attacker can write to this attribute on a computer object (via GenericWrite or similar ACL rights), they can configure an attacker-controlled machine account to impersonate any user to that computer -- including domain admins. The attack requires: write access to the target computer object's msDS-AllowedToActOnBehalfOfOtherIdentity attribute (findable via BloodHound as 'GenericWrite' or 'WriteProperty' edges to computer objects), and a machine account (which any domain user can create by default, up to the MachineAccountQuota of 10). Remediation: reduce MachineAccountQuota to 0 for non-admin users (ms-DS-MachineAccountQuota on the domain object). Audit msDS-AllowedToActOnBehalfOfOtherIdentity on all computer objects and remove any unexpected entries. Restrict GenericWrite access to computer objects to administrative accounts only.

Protect Privileged Accounts from Delegation

The simplest and most important delegation hardening step for privileged accounts is adding them to the Protected Users security group. Accounts in Protected Users cannot be delegated regardless of what delegation settings are configured on the service -- the KDC will refuse to create a delegable ticket for Protected Users members. Add all domain admin accounts, tier 0 service accounts, and executives to Protected Users immediately. Also set 'Account is sensitive and cannot be delegated' on any account that does not need to be delegated to at all -- this is a per-account flag that prevents delegation from that account (different from Protected Users, which also restricts NTLM and RC4). Use the 'Account is sensitive' flag for all service accounts that do not require delegation. For ongoing monitoring: alert on any modification to TrustedForDelegation, msDS-AllowedToDelegateTo, or msDS-AllowedToActOnBehalfOfOtherIdentity via Event ID 5136 (directory service object modification).

The bottom line

Unconstrained delegation is the highest-priority finding in an AD delegation audit -- remove it from all non-DC computer accounts and all user accounts. Constrained delegation is acceptable when the target SPN list is minimal and does not include DC services. RBCD is most dangerous via ACL abuse paths findable in BloodHound. Add all privileged accounts to Protected Users as a baseline control that makes delegation attacks against those accounts impossible regardless of other configuration.

Frequently asked questions

Do domain controllers need unconstrained delegation?

Yes, domain controllers legitimately have TrustedForDelegation=True because they need to impersonate users for Kerberos authentication to work correctly. When enumerating unconstrained delegation, always exclude the Domain Controllers OU. The risk is non-DC computer accounts and user accounts with unconstrained delegation enabled.

What is the Printer Bug and how does it exploit unconstrained delegation?

The Printer Bug (SpoolSample) exploits the Windows Print Spooler service's MS-RPRN RPC interface. When called against a DC, it forces the DC machine account to authenticate to an attacker-specified host. If that host has unconstrained delegation enabled, the DC's TGT (Ticket Granting Ticket) arrives and is cached there. An attacker with access to the unconstrained delegation host can extract the DC TGT with Rubeus (Rubeus monitor /interval:5) and use it for DCSync. Mitigation: disable the Print Spooler service on all DCs (it is not needed there), or patch to the July 2021 update that addresses the most commonly exploited MS-RPRN paths.

What is the MachineAccountQuota and why does it matter for RBCD?

MachineAccountQuota (ms-DS-MachineAccountQuota on the domain object) controls how many machine accounts a standard domain user can create. The default is 10. RBCD attacks require an attacker-controlled machine account -- if MachineAccountQuota is 0, standard domain users cannot create machine accounts and the attack requires a pre-existing compromised machine account or admin access. Set MachineAccountQuota to 0 via ADSI Edit or PowerShell: Set-ADDomain -Identity domain.com -Replace @{'ms-DS-MachineAccountQuota'='0'}. Legitimate machine account creation should go through your IT provisioning process.

Can I use BloodHound to find all delegation attack paths?

Yes. BloodHound Community Edition includes built-in queries for unconstrained and constrained delegation. It also maps GenericWrite and WriteProperty edges to computer objects, which reveal RBCD attack paths. Run SharpHound with the -CollectionMethod All flag to ensure delegation data is collected. After ingestion, the queries 'Find Computers with Unconstrained Delegation', 'Find accounts trusted to perform Kerberos Delegation', and path analysis from compromised accounts to domain admins will surface the highest-risk delegation configurations.

What is resource-based constrained delegation and when should I use it instead of classic constrained delegation?

Classic constrained delegation (msDS-AllowedToDelegateTo) is configured on the service account and requires Domain Admin or Account Operator privileges to set. Resource-based constrained delegation (RBCD, msDS-AllowedToActOnBehalfOfOtherIdentity) is configured on the target computer object and can be set by anyone with GenericWrite or WriteProperty access to that computer object -- this makes it the more dangerous default for attackers. Use RBCD when the resource owner (not the delegating service owner) must control which services can delegate to them, which is common in cloud-hybrid and cross-domain scenarios. Never grant GenericWrite on computer objects to non-admin accounts; audit it regularly in BloodHound.

What is the S4U2self/S4U2proxy attack chain and how does it exploit delegation?

S4U2self (Service for User to Self) and S4U2proxy (Service for User to Proxy) are Kerberos extensions that implement constrained delegation. S4U2self allows a service with constrained delegation to request a service ticket for any user to itself, creating an impersonation ticket without that user having originally authenticated. S4U2proxy then uses that ticket to access a downstream service on behalf of the impersonated user. Attackers exploit this chain when they compromise an account with constrained delegation configured: they can impersonate any user (including Domain Admins) to the services listed in the delegation configuration. The critical detail is that S4U2self can generate tickets for privileged users who are marked as 'sensitive and cannot be delegated' -- the sensitive flag is only checked during S4U2proxy, not S4U2self. Defense: add all privileged accounts to the Protected Users group (which prevents their tickets from being forwarded) and regularly audit delegation configurations in BloodHound.

Sources & references

  1. Microsoft: Kerberos Constrained Delegation Overview
  2. Microsoft: Protected Users Security Group

Free resources

25
Free download

Critical CVE Reference Card 2025–2026

25 actively exploited vulnerabilities with CVSS scores, exploit status, and patch availability. Print it, pin it, share it with your SOC team.

No spam. Unsubscribe anytime.

Free download

Ransomware Incident Response Playbook

Step-by-step 24-hour IR checklist covering detection, containment, eradication, and recovery. Built for SOC teams, IR leads, and CISOs.

No spam. Unsubscribe anytime.

Free newsletter

Get threat intel before your inbox does.

50,000+ security professionals read Decryption Digest for early warnings on zero-days, ransomware, and nation-state campaigns. Free, daily, no spam.

Unsubscribe anytime. We never sell your data.

Eric Bang
Author

Founder & Cybersecurity Evangelist, Decryption Digest

Cybersecurity professional with expertise in threat intelligence, vulnerability research, and enterprise security. Covers zero-days, ransomware, and nation-state operations for 50,000+ security professionals every morning.

Black Hat Giveaway

Win a $2,495 Black Hat pass.

Full-access to Black Hat USA 2026 in Las Vegas. Subscribe free to enter.

Joins Decryption Digest daily briefing. Unsubscribe anytime.

Giveaway: Black Hat USA 2026 Full-Access Pass ($2,495 value)

Details →
Daily Briefing

Subscribe to enter the giveaway

Every subscriber is automatically entered. You also get daily threat intel every morning: zero-days, ransomware, and nation-state campaigns. Free. No spam.

Already subscribed? You're already entered.

Giveaway

Win a $2,495 Black Hat USA 2026 pass.