Annual Review of Unconstrained Delegation in AD Accounts
Annually review AD accounts for unnecessary delegation and remove if no business need.
Plain language
This control is all about checking each year if any accounts in your Microsoft Active Directory (AD) system can delegate their tasks without restrictions. If they don’t need to, those rights should be removed. This matters because unnecessary delegation can create security risks, like unauthorised access to sensitive information, which can lead to serious privacy breaches or financial losses.
Framework
ASD Information Security Manual (ISM)
Control effect
Detective
Classifications
NC, OS, P, S, TS
ISM last updated
Aug 2024
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
User accounts with unconstrained delegation are reviewed at least annually, and those without an SPN or demonstrated business requirement are removed.
Why it matters
Unnecessary unconstrained delegation on AD accounts can enable credential theft and lateral movement, leading to unauthorised access.
Operational notes
At least annually, list AD accounts with unconstrained delegation and remove it unless an SPN and documented business need exist; alert on changes.
Implementation tips
- The IT team should compile a list of all accounts in the Active Directory that have unconstrained delegation turned on. They can do this by running specific queries or using administrative tools to identify these accounts.
- Managers should review the business needs for each account identified. They can do this by meeting with IT and the account users to understand if there are valid reasons for maintaining unconstrained delegation.
- The IT team should disable unconstrained delegation for accounts that do not have a current, documented business need. This involves going into the account settings and changing delegation permissions.
- System owners should document which accounts retain unconstrained delegation and why. They can do this by recording justifications in a formal document as part of their security protocol.
- HR and management should ensure that there is a clear policy regarding delegation rights to prevent future unnecessary grants. This could involve updated training and written guidelines for staff on why delegation settings matter.
Audit / evidence tips
-
Askthe list of accounts with unconstrained delegation: Request a report generated by the IT team showing all such accounts
Gooda recent, dated report listing accounts with explanations for necessary delegations
-
Askto see the business need documentation for each account with delegation: Request documentation that outlines why each account needs to maintain unconstrained delegation
Goodclear business reasons, dated and signed by authorised personnel
-
Askevidence of delegation changes in AD logs: Request recent logs to confirm changes to delegation settings
Goodlogs showing changes made to delegation settings, including who made the changes and when
-
Askthe policy on delegation rights management: Request a copy of the organisational policy regarding delegation rights
Gooda comprehensive, up-to-date policy with review dates and responsibilities outlined
-
Asktraining materials or records: Request evidence of training sessions or materials that mention the importance of managing delegation settings
Goodtraining records or materials that clearly discuss delegation management and are from recent sessions
Cross-framework mappings
How ISM-1843 relates to controls across ISO/IEC 27001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.18 | ISM-1843 requires organisations to review Active Directory (AD) user accounts with unconstrained delegation at least annually and remove ... | |
E8
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| E8-RA-ML3.1 | ISM-1843 requires an annual review to ensure unconstrained delegation is only present where there is a demonstrated business requirement ... | |
| sync_alt Partially overlaps (1) expand_less | ||
| E8-RA-ML2.1 | ISM-1843 requires an annual review of AD accounts with unconstrained delegation and removal where there is no SPN or business requirement | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.