Is Active Directory user account delegat used on the same computer

Posted on 2014-03-06
Last Modified: 2014-03-10
In the User Properties for Active Directories there is a tab for 'Security.'
In that Security tab there is a check box for "Account is sensitive and cannot be delegated."
As I understand it, if this box is checked, then other accounts on other computers can not impersonate this account; but what about on the same computer.
My question is this, will another account or another application on the same computer be restricted if this box is checked?

For example, suppose we have two domain accounts:
DMN\GeoMapServices .

Suppose that a scheduled task on a Win2K8r2 machine uses DMN\GeoAdmin to start a scheduled task, and that scheduled task starts a PowerShell session that runs a script on the same machine that manipulates a third party Windows service on the same machine; and that Windows service uses the DMN\GeoMapServices.

Normally, the scheduled task that runs with DMN\GeoAdmin is able to successfully run the PowerShell script that manipulates the DMN\GeoMapServices .
If the "Account is sensitive and cannot be delegated" box is checked for DMN\GeoMapServices' user properties, might that prevent the PowerShell script from manipulating the Windows service as was previously done?

Would it make a difference if the Windows service was on a different machine? For instance, what if a regular user like DMN\regUser, from his Win7 computer wanted to access a service that runs under DMN\GeoMapServices on the Win2K8 server?

What if the IIS account like, IIS_IUSRS wanted to impersonate the DMN\GeoMapService?

Would checking the "Account is sensitive and cannot be delegated" box for DMN\GeoMapService disrupt any of those activities?
Question by:XTO
  • 3
  • 2
LVL 12

Expert Comment

by:David Paris Vicente
ID: 39910078
That option is mostly used for guests or temporay accounts and cannot be assigned for delegation by another account.

So if I understood your question, and my advice is not use that option fro accounts that you want to use in services or impersonations.


Author Comment

ID: 39910125
Thank you granwizzard.

The order to do this is coming from upper management from a bigger company that acquired our company. I need to be able to make a logical case for not doing this. Could you give me some technical details based on the scenarios above?

So, if DMN\GeoMapService has that option clicked, does that mean that DMN\GeoMapService:
1. Can not be impersonated by another service
2. Can not impersonate another service
3. Both?

Also, does that option cause restrictions only across networks, or does it also cause restrictions on the same computer?
LVL 12

Expert Comment

by:David Paris Vicente
ID: 39911107

1.Constrained delegation enables impersonation without having the user's credentials or authentication token.

2.In a more typical meat-and-potatoes unconstrained delegation scenario, whether it is windows integrated authentication or forms authentication, having delegation access to a user's authentication token is very powerful. That literally means that token can be used to impersonate that user to access any network resource. Anyone involved in that process, such as a developer, could use that in a nefarious way to obtain unauthorized access.

In both examples, if the box is checked for "account is sensitive and cannot be delegated", these are not security issues. It's also possible to architect a system/feature where these capabilities do exist, but are tightly controlled.

That box should be checked for administrative accounts, such as members of the Enterprise Admins group, because (hopefully) those accounts rarely need to use applications that require impersonation. It is also be a good idea for senior executives who have access to sensitive information, such as a CIO, COO, head of Finance/Treasury, etc.

So the bottom line is, Microsoft provided that checkbox and the accompanying warning for a very good reason, and it should not be dismissed or taken lightly unless it can be demonstrated that a particular scenario does not have undesirable risk exposure, or some compensating control. This usually involves vetting by some qualified person(s) that are not involved in the actual implementation or development of an application or system.

I hope this could help you understand the concept.

Sorry if I couldn´t explained the concept in a better way.


Author Comment

ID: 39912551
Hi granwizzard, Does constraining delegation cause a restriction on
1. Both across the network and on the same computer
2. Only across the network?

LVL 12

Accepted Solution

David Paris Vicente earned 500 total points
ID: 39917283
If the account is using accross network the restrictions will be applied, if you are directly use the account/computer the restrictions will no be applied.

Ex: If you are using an accoutn with special permissions directly (no impersonation in place), you can do everything define for that account,  but if your account is going to be impersonated and you have restrictions that the account can´t be impersonated  when the impersonation contact AD will receive the status that the account can´t be impersonated and service will fail locally or across network.

Here are an explanation how the  Constrained Delegation and single sign onKerberos Protocol Transition and Constrained Delegation

I hope this can help you.

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

This article runs through the process of deploying a single EXE application selectively to a group of user.
Did you know that more than 4 billion data records have been recorded as lost or stolen since 2013? It was a staggering number brought to our attention during last week’s ManageEngine webinar, where attendees received a comprehensive look at the ma…
This tutorial will show how to configure a new Backup Exec 2012 server and move an existing database to that server with the use of the BEUtility. Install Backup Exec 2012 on the new server and apply all of the latest hotfixes and service packs. The…
This tutorial will show how to configure a single USB drive with a separate folder for each day of the week. This will allow each of the backups to be kept separate preventing the previous day’s backup from being overwritten. The USB drive must be s…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question