2

We want to use Windows Admin Center to manage our environment; WAC will run on a dedicated server in gateway mode, and administrators will manage servers through WAC.

This requires setting up Kerberos constrained delegation to allow WAC to operate on the servers on behalf of the users; this is well documented, and works this way:

$wac = Get-AdComputer "WAC Server Name"
$server = Get-AdComputer "Managed Server Name"
Set-ADComputer $server -PrincipalsAllowedToDelegateToAccount $wac

Of course, this can easily be scripted for multiple servers.

However, what we would like is for this to be automated: when a new server is joined to the domain, the WAC gateway should automatically be granted a Kerberos delegation to manage it.

Unfortunately, this doesn't seem to be an actual ACL on the computer object; thus it doesn't seem possible to handle this with an ACL at the OU or domain level. Also, there doesn't seem to be any GPO setting for this (or at least I couldn't find it).

How can we automatically enable Kerberos delegation to the WAC gateway for all computers when they are joined to the domain?

Massimo
  • 70,200
  • 57
  • 200
  • 323
  • Wish I had time right now to write up a full answer. There are probably several ways that this can be accomplished, but here's a quick and admittedly crude one that comes to mind and might inspire you: on your DCs, look in the Security log for event ID 645 (Computer Account Created) and attach a Scheduled Task that pulls the new computer account name into the script that you have noted above. It's not the best way, but...something?! – SamErde Dec 15 '22 at 19:11

0 Answers0