Forum Discussion
Secure Score "this account is sensitive and cannot be delegated"
Hi In Microsoft Secure Score when selecting the recommended action Ensure that all privileged accounts have the configuration flag "this account is sensitive and cannot be delegated" and in the Expo...
starman2heven To do this on a “computer” object:
Set-ADComputer -Identity "dc1" -AccountNotDelegated $true
micheleariis the issue that many people are having with this is not so much HOW to do this but whether it's acceptable to do it.
The accepted wisdom for a long time now has been that you do NOT disable delegation on your DC computer accounts, that doing so will, in fact, degrade your domain functions, as domain services running on a DC rely on being able to delegate via the DC computer account to other servers in the domain.
But this Secure Score requirement is requiring that the DC computer account delegation be removed.
Frustratingly, all the official documentation on this, including the MS learn article specifically about this securescore requirement, completely ignore the computer accounts in the documentation. the learn article even shows computer accounts listed in it's example screenshot and then completely ignores them and only instructs on how to resolve delegation of sensitive USER accounts.
Sblackery Hi, I absolutely agree with you.
The main problem is that these tips should be constantly updated and you don't mistakenly put obsolete remedies; I give the example of LAPS; if you activate it with the modern method, the score is not credited; if you use the one recommended by Microsoft (old procedure), it is; this is to say that many companies follow this score as a guideline and it should be like the bible.- LiorShapira
Microsoft
micheleariis Sblackery We are currently working on excluding DC's from this recommendation. We will update our public docs to include remediation steps for device accounts and the recommendation title will be changed as well. All will be available by the beginning of next week.
- Hi - I see the learn documentation has been changed as you stated, but the securescore recommendation has not changed in either title or function (DCs are still listed). Does this mean the remediation steps should be followed for DCs also, or is the securescore update delayed? Thanks!
