header image

Set user account not to be delegated

Posted by: | February 18, 2012 | No Comment |

One of the settings on the account tab is a tick box to say that the account is sensitive and cannot be delegated. This prevents delegated authentication which occurs when a network service accepts a request from a user and assumes that user’s identity in order to initiate a new connection to a second network service.

Usually this would imply that the account has too many permissions to allow this to happen or its an account that you don’t to allow to access services in this manner.

The default is that this type of delegation can occur. If we don’t want to allow it we need to modify the useraccountcontrol attribute .

Note that the script assumes the setting isn’t already present

$ou = "OU=England,DC=Manticore,DC=org"            
            
"`nMicrosoft"            
$name = "UserA"            
Get-ADUser -Identity $name |            
Set-ADAccountControl -AccountNotDelegated:$true            
            
            
"`nAD provider"            
$name = "UserB"            
$dn = "cn=$name,$ou"            
$flag = (Get-ItemProperty -Path AD:\$dn  -Name useraccountcontrol).useraccountcontrol -bxor 1048576            
Set-ItemProperty -Path AD:\$dn  -Name useraccountcontrol -Value "$flag" -Confirm:$false            
            
"`nQuest"            
$name = "UserC"            
$user = Get-QADUser -Identity $name -IncludeAllProperties            
            
$flag = $user.userAccountControl -bxor 1048576            
$user.userAccountControl = $flag            
Set-QADUser -Identity $name -ObjectAttributes @{userAccountControl = $flag}            
            
"`nScript"            
$name = "UserD"            
$dn = "cn=$name,$ou"            
$user = [adsi]"LDAP://$dn"            
            
$flag = $user.userAccountControl.value -bxor 1048576            
$user.userAccountControl = $flag            
            
$user.SetInfo()

The Microsoft Set-ADAccountControl cmdlet has a parameter AccountNotDelegated to which we pass a value of $true.

The other three options involve performing a binary exclusive OR –bxor on the useraccountcontrol using a value of 1048576

under: PowerShell and Active Directory

Trackbacks/Pingbacks

  1. URL