1 post • joined 5 Dec 2018
Re: Like a US drug commercial...
I think you've misunderstood.
Delegation in the context of "Account is sensitive and cannot be delegated" is *Kerberos* delegation - not delegation of control in AD DS, which is just adding permissions to an ACL much like granting rights over files and folders.
To be clear, enabling this setting doesn't impact delegation of administration in AD DS.
Kerberos delegation allows a user/computer/service to act on behalf of another user, and can be unconstrained Kerberos delegation, or constrained to specific services using Kerberos (i.e. Kerberos Constrained Delegation - KCD) or any authentication protocol (e.g. for NTLM protocol transition). The less constrained, the higher the risk (in theory). ISA/TMG reverse proxying and SharePoint are/were common use cases for this functionality.
There's some great new functionality for Protected Accounts available in AD DS and the OS from Windows Server 2012 R2 and Windows 8.1 and above that offers significant protection in this space, but requires configuration - it's not on by default. Protected Accounts, in a domain with functional level Windows Server 2012 R2 or higher, cannot 'be delegated by using unconstrained or constrained delegation'.
GO because... GO implement this in your AD DS environment.