Change coming in July 2019



KB 4490425:



To help determine if any applications or accounts are using the unsafe delegation, use the following resources:

  • PowerShell
    • A quick command can be run against a trust from PowerShell that will determine if the flag is set on an inbound trust. Run this command from the forest that has the inbound trust:
      Get-ADTrust -Filter {Direction -eq "Inbound"} | ft Name,TGTDelegation

      The value returned from the above command is counterintuitive and is backwards from what you might expect:

      • FALSE – A return of false means that the delegation is enabled and is in the unsafe state.
      • TRUE – A return of true indicates that the delegation is disabled and is in the safe state.
    • A script has been created that can scan forests that have incoming trusts that allow TGT delegation.
    • Refer to this support article for the PowerShell code:
      KB4490425 – Updates to TGT delegation across incoming trusts in Windows Server
    • Copy and Paste the code from the support article into a file named Get-RiskyServiceAccountsByTrust.ps1
    • There are two options switches that the script can be executed with:
      • -Collect will output any principals that have unconstrained delegation.
        Get-RiskyServiceAccountByTrust.ps1 -Collect
      • -Collect -Scanall will output security principals that have unconstrained delegation and search across trusts that do not allow TGT delegation
        Get-RiskyServiceAccountByTrust.ps1 -Collect -ScanAll

      Example of Output:

  • Event Viewer/Event Logs