Go Premium for a chance to win a PS4. Enter to Win


Is Active Directory user account delegat used on the same computer

Posted on 2014-03-06
Medium Priority
Last Modified: 2014-03-10
In the User Properties for Active Directories there is a tab for 'Security.'
In that Security tab there is a check box for "Account is sensitive and cannot be delegated."
As I understand it, if this box is checked, then other accounts on other computers can not impersonate this account; but what about on the same computer.
My question is this, will another account or another application on the same computer be restricted if this box is checked?

For example, suppose we have two domain accounts:
DMN\GeoMapServices .

Suppose that a scheduled task on a Win2K8r2 machine uses DMN\GeoAdmin to start a scheduled task, and that scheduled task starts a PowerShell session that runs a script on the same machine that manipulates a third party Windows service on the same machine; and that Windows service uses the DMN\GeoMapServices.

Normally, the scheduled task that runs with DMN\GeoAdmin is able to successfully run the PowerShell script that manipulates the DMN\GeoMapServices .
If the "Account is sensitive and cannot be delegated" box is checked for DMN\GeoMapServices' user properties, might that prevent the PowerShell script from manipulating the Windows service as was previously done?

Would it make a difference if the Windows service was on a different machine? For instance, what if a regular user like DMN\regUser, from his Win7 computer wanted to access a service that runs under DMN\GeoMapServices on the Win2K8 server?

What if the IIS account like, IIS_IUSRS wanted to impersonate the DMN\GeoMapService?

Would checking the "Account is sensitive and cannot be delegated" box for DMN\GeoMapService disrupt any of those activities?
Question by:XTO
  • 3
  • 2
LVL 12

Expert Comment

by:David Paris Vicente
ID: 39910078
That option is mostly used for guests or temporay accounts and cannot be assigned for delegation by another account.

So if I understood your question, and my advice is not use that option fro accounts that you want to use in services or impersonations.


Author Comment

ID: 39910125
Thank you granwizzard.

The order to do this is coming from upper management from a bigger company that acquired our company. I need to be able to make a logical case for not doing this. Could you give me some technical details based on the scenarios above?

So, if DMN\GeoMapService has that option clicked, does that mean that DMN\GeoMapService:
1. Can not be impersonated by another service
2. Can not impersonate another service
3. Both?

Also, does that option cause restrictions only across networks, or does it also cause restrictions on the same computer?
LVL 12

Expert Comment

by:David Paris Vicente
ID: 39911107

1.Constrained delegation enables impersonation without having the user's credentials or authentication token.

2.In a more typical meat-and-potatoes unconstrained delegation scenario, whether it is windows integrated authentication or forms authentication, having delegation access to a user's authentication token is very powerful. That literally means that token can be used to impersonate that user to access any network resource. Anyone involved in that process, such as a developer, could use that in a nefarious way to obtain unauthorized access.

In both examples, if the box is checked for "account is sensitive and cannot be delegated", these are not security issues. It's also possible to architect a system/feature where these capabilities do exist, but are tightly controlled.

That box should be checked for administrative accounts, such as members of the Enterprise Admins group, because (hopefully) those accounts rarely need to use applications that require impersonation. It is also be a good idea for senior executives who have access to sensitive information, such as a CIO, COO, head of Finance/Treasury, etc.

So the bottom line is, Microsoft provided that checkbox and the accompanying warning for a very good reason, and it should not be dismissed or taken lightly unless it can be demonstrated that a particular scenario does not have undesirable risk exposure, or some compensating control. This usually involves vetting by some qualified person(s) that are not involved in the actual implementation or development of an application or system.

I hope this could help you understand the concept.

Sorry if I couldn´t explained the concept in a better way.


Author Comment

ID: 39912551
Hi granwizzard, Does constraining delegation cause a restriction on
1. Both across the network and on the same computer
2. Only across the network?

LVL 12

Accepted Solution

David Paris Vicente earned 1500 total points
ID: 39917283
If the account is using accross network the restrictions will be applied, if you are directly use the account/computer the restrictions will no be applied.

Ex: If you are using an accoutn with special permissions directly (no impersonation in place), you can do everything define for that account,  but if your account is going to be impersonated and you have restrictions that the account can´t be impersonated  when the impersonation contact AD will receive the status that the account can´t be impersonated and service will fail locally or across network.

Here are an explanation how the  Constrained Delegation and single sign onKerberos Protocol Transition and Constrained Delegation

I hope this can help you.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Had a business requirement to store the mobile number in an environmental variable. This is just a quick article on how this was done.
For anyone that has accidentally used newSID with Server 2008 R2 (like I did) and hasn't been able to get the server running again because you were unlucky (as I was) and had no backups - I was able to get things working by doing a Registry Hive rec…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

885 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question