Delegate permission to set Kerberos Constrained Delegation in Active Directory

Problem:
You try to enable Kerberos Constrained Delegation with a non admin account but you have Full Access over the object.
i.e.
George has been given Full Access in Active Directory over the OU “Servers”. When he tries to change settings on the delegation tab of server “Vanilla” he gets  “A required privilege is not held by the client”

Cause:
This is because there is a user right in Domain Controllers policy that only allows Domain Admins to make Kerberos Constrained Delegation.

Soloution:
Open Domain Controller Group Policy or add a new policy and give George proper rights.

Computer configuration\Polices\Windows Settings\Security Settings\Local Polices\User Rights – “Enable computer and user accounts to be trusted for delegation”

After giving i.e George this right, it can take several minutes for this setting to have effect even if you run gpupdate /force.

This entry was posted in Active Directory and tagged , . Bookmark the permalink.