I'm looking for guidance on how to disable unconstrained delegation on Windows domain controllers, as suggested by Microsoft's Defender for Identity. The issue is that unconstrained delegation is enabled by default on all domain controllers through the Default Domain Controller Group Policy. Why does Microsoft recommend disabling it when it is the default setting? Additionally, how can I identify which Service Principal Names (SPNs) are using delegation so I can switch to resource-based constrained delegation? Is there an event ID I can monitor in the security logs of the DCs to find this information? I've come across several resources discussing the risks of unconstrained delegation and instructions for disabling it, but I haven't found much on how to verify and prepare my environment for this change. Any help or references would be greatly appreciated!
3 Answers
How old is your Group Policy Object (GPO)? We created a new domain in 2025 and noticed that many defaults differ from our old GPO from 1999, which might explain some inconsistency.
Generally speaking, keeping unconstrained delegation on domain controllers is standard practice. Disabling it may create issues, especially since it's essential for DC functionality. If Microsoft Defender for Identity is flagging this, it could be an error in how it interprets the settings for domain controllers.
I don’t believe you can remove unconstrained delegation from domain controllers. It looks like there might be confusion with Defender for Identity's recommendations. Make sure to double-check the documentations; it appears they are advising on non-domain controller entities rather than DCs.
Exactly, unconstrained delegation has its place, but look into resource-based constrained delegation for other services. Just be careful about changes with DCs.
I reviewed the documentation again, and it seems that Defender isn't recognizing domain controllers correctly, which does cause confusion. The recommendations actually pertain to your non-DC systems that may have insecure Kerberos delegation. You can check more details at Microsoft's security score page.