Prevent Non-Controller Accounts from Delegating Services
Ensure non-domain controller accounts can't be used to delegate services in Active Directory.
Plain language
This control is about ensuring that computer accounts which are not managing the overall network (non-domain controllers) don't have permission to sneakily use services they shouldn’t in your organisation through Microsoft Active Directory. If we're not careful here, someone might exploit these accounts to access sensitive information or even disrupt your business operations.
Framework
ASD Information Security Manual (ISM)
Control effect
Preventative
Classifications
NC, OS, P, S, TS
ISM last updated
Feb 2023
Control Stack last updated
19 Mar 2026
E8 maturity levels
N/A
Guideline
Guidelines for system hardeningSection
Server application hardeningOfficial control statement
Computer accounts that are not Microsoft AD DS domain controllers are not trusted for delegation to services.
Why it matters
If non-domain controller computer accounts are trusted for delegation, attackers can impersonate services, escalate privileges and move laterally.
Operational notes
Audit AD delegation (Trusted for delegation/Constrained) and ensure only domain controllers are permitted; remove delegation from all others.
Implementation tips
- IT team should review all computer accounts: Go through each account in your Active Directory that's not a domain controller and check their delegations. Make sure they don't have unnecessary permissions that allow them to act on behalf of legitimate accounts.
- System administrator should update delegation settings: Ensure only domain controllers have the right to delegate services. You can do this by accessing the properties of non-controller accounts in Active Directory and adjusting any settings that allow delegation.
- Manager should schedule regular training: Ensure staff understand why only domain controllers should delegate services. Hold a session where you explain, using examples, how improper settings can lead to security risks.
- IT team should implement monitoring tools: Use monitoring tools to alert the team when a non-controller account is granted delegation rights. This can be set up within your Active Directory system or with an external monitoring tool that flags these changes.
- Security officer should establish a review policy: Set up a policy that includes regular checks on delegation settings as part of your security practices. This policy should specify who checks, what they check, and how frequently.
Audit / evidence tips
- AskThe delegation permissions report: Request a recent export of delegation settings for all non-controller accounts GoodIs that no unnecessary delegation permissions are listed for non-controller accounts
- AskDocumentation of delegation setting changes: Request logs showing any changes made to delegation rights for non-controller accounts GoodShows only authorised changes made by the IT team
- AskThe training records: Request the attendance records for any training sessions about delegation rights GoodIs recent and includes all relevant staff, showing they understand the importance
- AskProcedures on handling delegation alerts: Request documents outlining steps to follow when a delegation alert is raised GoodIs detailed and shows clear accountability and rapid response actions
- AskTo see the policy review schedule: Request the schedule and results of recent reviews of delegation settings GoodIncludes recent, regular reviews and clear documentation of findings
Cross-framework mappings
How ISM-1844 relates to controls across ISO/IEC 27001, ISO/IEC 42001, Essential Eight, and ASD ISM.
ISO 27001
| Control | Notes | Details |
|---|---|---|
| layers Partially meets (1) expand_less | ||
| Annex A 5.18 | ISM-1844 requires that computer accounts that are not Microsoft AD DS domain controllers are not trusted for delegation to services, prev... | |
| link Related (1) expand_less | ||
| Annex A 5.15 | Annex A 5.15 requires rules and procedures that control logical access to systems and associated services | |
These mappings show relationships between controls across frameworks. They do not imply full equivalence or certification.