STIGhubSTIGhub
STIGsSearchCompareAbout

STIGhub

A free tool to search and browse the entire DISA STIG library. Saves up to 75% in security compliance research time.

Navigation

  • Browse STIGs
  • Search
  • Compare Versions

Resources

  • About
  • VPAT
  • DISA STIG Library
Powered by Pylon
© 2026 Beacon Cloud Solutions, Inc. All rights reserved.
← Back to Active Directory Domain Security Technical Implementation Guide

V-243478

CAT II (Medium)

Domain-joined systems (excluding domain controllers) must not be configured for unconstrained delegation.

Rule ID

SV-243478r959010_rule

STIG

Active Directory Domain Security Technical Implementation Guide

Version

V3R7

CCIs

CCI-000366

Discussion

Unconstrained delegation enabled on a computer can allow the computer account to be impersonated without limitation. If delegation is required, it must be limited/constrained to the specific services and accounts required.

Check Content

Open "Windows PowerShell" on a domain controller.

Enter "Get-ADComputer -Filter {(TrustedForDelegation -eq $True) -and (PrimaryGroupID -eq 515)} -Properties TrustedForDelegation, TrustedToAuthForDelegation, ServicePrincipalName, Description, PrimaryGroupID".

If any computers are returned, this is a finding. 
(TrustedForDelegation equaling True indicates unconstrained delegation.)

PrimaryGroupID 515 = Domain computers (excludes DCs)
TrustedForDelegation = Unconstrained Delegation
TrustedToAuthForDelegation = Constrained delegation
ServicePrincipalName = Service Names
Description = Computer Description

Fix Text

Remove unconstrained delegation from computers in the domain. 

Select "Properties" for the computer object.

Select the "Delegation" tab.

De-select "Trust this computer for delegation to any service (Kerberos only)"

Configured constrained delegation for specific services where required.