I'm looking to get some clarity on the process of disabling unconstrained delegation on Windows Domain Controllers, as advised by Microsoft's Defender for Identity. The thing is, the default setting in Active Directory has unconstrained delegation enabled for all domain controllers through the Default Domain Controller Group Policy. So, I'm a bit confused about why Microsoft is recommending disabling it when it's enabled by default.
Additionally, I want to know how to identify which Service Principal Names (SPNs) are utilizing delegation so that I can focus on enabling resource-based constrained delegation instead. Is there a specific Event ID I should check in the security logs on the DCs to find this out? I've done some research and found plenty of info on why to disable unconstrained delegation and the steps to do it, but not much on how to investigate and prepare for this. Any tips or articles you could share would be super helpful! Thanks!
3 Answers
I don't believe you can remove this feature from Domain Controllers. It seems like there might be some misunderstanding from Defender's recommendation. Maybe it's confusing domain controllers with other entities.
After re-reading the recommendations, it looks like you're right. Defender somehow isn't recognizing them as domain controllers, which is creating this confusion. Also, I found that the documentation says to check your **non-domain controller** entities for unsecure Kerberos delegation. You can find that info at Microsoft’s security assessment page.
How old is your Group Policy Object (GPO)? We recently set up a new domain in 2025 and noticed that many defaults were different compared to our old GPO from 1999. Sometimes age can change the default settings significantly.
Honestly, I wouldn't recommend disabling unconstrained delegation on domain controllers. It's usually crucial for them. The whole issue with Defender for Identity flagging it might be a glitch on their end. Typically, unconstrained delegation is needed for DCs to function properly.
Exactly, I've been seeing similar issues. It seems like they need to update their guidance to be clearer.