Secure Score wants me to disable delegation on my Domain Controller computer accounts

Question

originally posted on the Office365 'answers' forum but I was told that was not the correct place and I should post it here instead.

Microsoft Secure Score flagged a number of 'privileged' accounts on my AD domain that were set to allow delegation.

I had no problem at all changing this for a number of privileged user accounts, absolutely correct that I should have set those.

However it's also flagging the computer accounts for my 2 DCs (server 2022). Everything I read about this indicates that DC computer accounts are the one thing that needs delegation allowed, and that disabling it (by setting 'do not trust this computer for delegation' on the AD object) would be a bad thing to do. But until I do, Secure Score is docking me points.

However all the articles I can find on the subject are quite old, certainly pre-dating Server 2022

Which is wrong here, the collective (but possibly out-dated) wisdom of the internet, or Secure Score? Can I safely disable delegation on my DC computer accounts without breaking anything?

Answer 1

Hello Steven Blackery,

Thank you for posting in Q&A forum.

The best practice for disabling delegation on Domain Controller computer accounts is to prevent attacks that leverage delegation to use the account's credentials on other systems. This is done by marking the account as sensitive and cannot be delegated

For more information, please refer to link below:
Appendix D - Securing Built-In Administrator Accounts in Active Directory | Microsoft Learn

I hope the information above is helpful.

If you have any questions or concerns, please feel free to let us know.

Best Regards,

Daisy Zhou

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.