Enable Computer and User Accounts to be Trusted for Delegation

Enable Computer and User Accounts to be Trusted for Delegation Security Settings

The policy setting ‘Enable computer and user accounts to be trusted for delegation’ for Administrators and No One allows users to change the Trusted for Delegation setting on a computer object in Active Directory. Abuse of this privilege could allow unauthorized users to impersonate other users on the network.

What is computer or user account delegation

The Windows security setting enable computer and user accounts to be trusted for delegation is a powerful security feature primarily used in enterprise environments. When an account is trusted for delegation, it means this account is allowed to use a user’s credentials to access other resources.

Allowing a computer or user account, to act on behalf of another account, to access resources or services on other servers or systems in the network is useful for scenarios where a service or application needs to access resources across multiple servers without requiring the user to repeatedly log in. For instance, a web application might need to access a database server and a file server on behalf of the user.

Security account delegation provides the ability to connect to multiple servers, and each server change retains the authentication credentials of the original client. Delegation of authentication is a capability that client and server applications use when they have multiple tiers.

User Account Control Settings Hardening Guide (2024)

Risks of delegation misuse 

If an account which has been granted the trusted for delegation permission is compromised, an attacker could potentially gain access to any resource that the authenticated user could access. As the attacker is impersonating the authenticated account, it can be hard to determine that an attack is taking place. 

Misuse of the Enable computer and user accounts to be trusted for delegation user right could allow unauthorized users to impersonate other users on the network.

Real world vulnerabilities 

Although not directly associated with this specific security setting, delegation settings are a known weakness and have been used in targeted attacks previously. CVE-2020-17049, exploits similar delegation vulnerabilities under certain conditions to trick the system into granting the attacker delegation rights to other accounts.

How to change computer and user accounts to be trusted for delegation configuration

This user right is defined in the Default Domain Controller Group Policy Object (GPO) and in the local security policy of workstations and servers. To establish the recommended configuration via GPO, configure the following UI path:

Default value

The table below outlines the actual and effective default policy values for the latest supported versions of Windows. You can also find the default values on the policy’s property page.

Hardening best practices  

This user right should not be assigned to anyone on member servers and workstations within a domain, as it has no significance in those environments. It is only applicable to domain controllers and stand-alone computers.

For most users, it is recommended to keep the enable computer and user accounts to be trusted for delegation setting disabled. While there might be certain  situations where enabling it’s necessary, it is crucial to understand the risks and benefits first.

Server hardening is a proactive approach to a good security posture. By minimizing potential entry points,  it reduces attack surfaces and risk of exploitable vulnerabilities.