Forum Discussion
Secure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Expo...
Servers that have been automatically tagged as "Sensitive" due to the roles installed on them, like Domain controller, Certificate Authority.
starman2heven To do this on a “computer” object:
Set-ADComputer -Identity "dc1" -AccountNotDelegated $true
micheleariis the issue that many people are having with this is not so much HOW to do this but whether it's acceptable to do it.
The accepted wisdom for a long time now has been that you do NOT disable delegation on your DC computer accounts, that doing so will, in fact, degrade your domain functions, as domain services running on a DC rely on being able to delegate via the DC computer account to other servers in the domain.
But this Secure Score requirement is requiring that the DC computer account delegation be removed.
Frustratingly, all the official documentation on this, including the MS learn article specifically about this securescore requirement, completely ignore the computer accounts in the documentation. the learn article even shows computer accounts listed in it's example screenshot and then completely ignores them and only instructs on how to resolve delegation of sensitive USER accounts.Sblackery Hi, I absolutely agree with you.
The main problem is that these tips should be constantly updated and you don't mistakenly put obsolete remedies; I give the example of LAPS; if you activate it with the modern method, the score is not credited; if you use the one recommended by Microsoft (old procedure), it is; this is to say that many companies follow this score as a guideline and it should be like the bible.
