Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.
Severity | Group ID | Group Title | Version | Rule ID | Date | STIG Version |
|---|---|---|---|---|---|---|
| medium | V-243478 | SRG-OS-000480 | AD.0018 | SV-243478r959010_rule | 2026-02-11 | 3 |
Description
Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If delegation is required, it must be limited/constrained to the specific services and accounts required.
ℹ️ Check
Open "Windows PowerShell" on a domain controller.
Enter "Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName, Description, PrimaryGroupID".
If any computers are returned, this is a finding.
(TrustedForDelegation equaling True indicates unconstrained delegation.)
PrimaryGroupID 515 = Domain computers (excludes DCs)
TrustedForDelegation = Unconstrained Delegation
TrustedToAuthForDelegation = Constrained delegation
ServicePrincipalName = Service Names
Description = Computer Description
✔️ Fix
Remove unconstrained delegation from computers in the domain.
Select "Properties" for the computer object.
Select the "Delegation" tab.
De-select "Trust this computer for delegation to any service (Kerberos only)"
Configured constrained delegation for specific services where required.