0

I have admin rights on a machine connected to AD. But I don't have rights on the Domain Controller.

With PowerShell is it possible to get all authentication delegation settings of an AD account from my admin machine? If possible how?

What I mean as delegation settings is the Delegation tab of the AD account, used for Kerberos authentication. Below is a snapshot of what I am referring about. Currently I could see few services to which the account can present delegated credentials, but not all since I cannot scroll down the list as it is greyed out.

enter image description here

Ansgar Wiechers
  • 193,178
  • 25
  • 254
  • 328
Baskar Lingam Ramachandran
  • 617
  • 9
  • 25

3 Answers3

1
Get-ADObject -Filter {name -eq "yoursamaccountname"} -Properties msDS-AllowedToDelegateTo
Neroon
  • 1,341
  • 1
  • 9
  • 4
  • I get the warning : PS F:\Documents> Import-Module ActiveDirectory WARNING: Error initializing default drive: 'Unable to contact the server. This may be because this server does not exist, it is currently down, or it does not have the Active Directory Web Services running.'. – Baskar Lingam Ramachandran Jul 21 '17 at 10:49
1
Get-ADUser -Filter {SamAccountName -eq "YourAccountSamName"} -Properties msDS-AllowedToDelegateTo | Select-Object -ExpandProperty msDS-AllowedToDelegateTo

It will list all services to which the account can present delegated credentials

Marcelo Farinelli
  • 11
  • 1
0

The answer from Neroon did not work for me unfortunately, but I come up with a solution for AD user that works in case anyone else is looking for it:

Get-ADUser -filter { SamAccountName -eq "YouAccountSamName" } -Properties TrustedForDelegation | Select SamAccountName, TrustedForDelegation | FT -A

For multiple users:

$users = @('user1', 'user2')
$users | ForEach {Get-ADUser -filter { SamAccountName -eq $_ } -Properties TrustedForDelegation} | Select SamAccountName, TrustedForDelegation | sort -property SamAccountName | FT -A
Rod
  • 1,443
  • 15
  • 17