How to Delegate Control on User’s SPN attribute?
Issue Definition:
Unable to Delegate Control on User’s SPN attribute as the Read ServicePrincipalName and Write ServicePrincipalName properties are not visible for user accounts while setting up permissions.
Cause:
These are the filtered properties of user objects and not visible by default.
Resolution
In order to make these attributes visible, you need to perform following steps:
1. Edit c:\windows\system32\dssec.dat file in notepad.
2. Search for [user]
3. Underneath [user], look for ServicePrincipalName=7
4. Change the value from 7 to 0.
5. Save the file and reopen Active Directory Users and Computers console.
You will now be able to see Read ServicePrincipalName and Write ServicePrincipalName for User Objects to delegate control.