Enable computer and user accounts to be trusted for delegation (Windows)

Module: Account Integrity

Supported Platforms: Windows 2000, Windows 2003, Windows 2008

This check reports accounts with rights to change the Trusted for Delegation setting on a user or computer object in the Active Directory. Delegation is used by multitier client/server applications. An account with this user right may be able to conduct sophisticated attacks to gain access to network resources. You can use the name list to exclude or include users or security groups that are not already excluded or included by the Users to check option.

The following table lists the error message for the check.

Table: Error message for Enable computer and user accounts to be trusted for delegation

Message String ID and Category

Platform and Message Numeric ID

Message Title and Description

Additional Information

String ID: ESM_ENABLE_TRUSTED_DELEGATION

Category: Policy Compliance

  • Windows 2000 (105955)

  • Windows 2003 (205955)

  • Windows 2008 (248955)

Title: Enable computer and user accounts to be trusted for delegation

Description:The reported user or security group has the right to change the Trusted for Delegation setting on a user or computer object in the Active Directory. Delegation is used by multi-tier client/server applications. To revoke this right, right-click the Updatable/Correctable field, then click Correct.

Severity: yellow-1

Correctable: true

Snapshot Updatable: false

Template Updatable: false

Information Field Format: [%s]