![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(128, 8%, 22%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EA%3C/text%3E%3C/svg%3E)
656 questions
Hi Lava Bak,
Thank you for posting in the Microsoft Community Forums.
If the domain controller is designed with unrestricted delegation, it may pose security risks as it allows unrestricted access to domain resources and permissions. Generally, it is not advisable to maintain unrestricted delegation. If such settings exist on your domain controller, you should take steps to restrict delegation and enhance security as soon as possible.
You can change unrestricted delegation settings by following these steps:
- Check Current Delegation Settings: Firstly, use tools such as Active Directory Users and Computers or Active Directory Administrative Center to check the current delegation settings. Make sure to understand which delegation relationships are unrestricted.
- Restrict Delegation Permissions: For each unrestricted delegation relationship, you can take one or more of the following actions:
- Limit delegation permissions to involve only specific objects or operations.
- Use the principle of least privilege to ensure that delegation relationships grant only the minimum permissions required by users or groups.
- Use Delegation Management Tools: Use delegation management tools in Active Directory to manage and configure delegation permissions. These tools can help you manage delegation relationships more conveniently, ensuring security and compliance.
Best regards
Neuvi Jiang