ms-DS-Allowed-To-Delegate-To attribute

This is an attribute on service account (computer or user account) objects. It contains a list of Service Principal Names (SPNs). This attribute is used to configure a service so that it can obtain service tickets that can be used for Constrained Delegation.

Entry Value
CN ms-DS-Allowed-To-Delegate-To
Ldap-Display-Name msDS-AllowedToDelegateTo
Size 0 to 64K
Update Privilege -
Update Frequency Infrequently
Attribute-Id 1.2.840.113556.1.4.1787
System-Id-Guid 800d94d7-b7a1-42a1-b14d-7cae1423d07f
Syntax String(Unicode)

Implementations

Windows Server 2003

Entry Value
Link-Id -
MAPI-Id -
System-Only False
Is-Single-Valued False
Is Indexed False
In Global Catalog False
NT-Security-Descriptor O:BAG:BAD:S:
Range-Lower -
Range-Upper -
Search-Flags 0x00000000
System-Flags 0x00000010
Classes used in Organizational-Person

Windows Server 2003 R2

Entry Value
Link-Id -
MAPI-Id -
System-Only False
Is-Single-Valued False
Is Indexed False
In Global Catalog False
NT-Security-Descriptor O:BAG:BAD:S:
Range-Lower -
Range-Upper -
Search-Flags 0x00000000
System-Flags 0x00000010
Classes used in Organizational-Person

Windows Server 2008

Entry Value
Link-Id -
MAPI-Id -
System-Only False
Is-Single-Valued False
Is Indexed False
In Global Catalog False
NT-Security-Descriptor O:BAG:BAD:S:
Range-Lower -
Range-Upper -
Search-Flags 0x00000000
System-Flags 0x00000010
Classes used in Organizational-Person

Windows Server 2008 R2

Entry Value
Link-Id -
MAPI-Id -
System-Only False
Is-Single-Valued False
Is Indexed False
In Global Catalog False
NT-Security-Descriptor O:BAG:BAD:S:
Range-Lower -
Range-Upper -
Search-Flags 0x00000000
System-Flags 0x00000010
Classes used in Organizational-Person

Windows Server 2012

Entry Value
Link-Id -
MAPI-Id -
System-Only False
Is-Single-Valued False
Is Indexed False
In Global Catalog False
NT-Security-Descriptor O:BAG:BAD:S:
Range-Lower -
Range-Upper -
Search-Flags 0x00000000
System-Flags 0x00000010
Classes used in Organizational-Person