How to Delegate Control on User’s SPN attribute?
Unable to Delegate Control on User’s SPN attribute as the Read ServicePrincipalName and Write ServicePrincipalName properties are not visible for user accounts while setting up permissions.
These are the filtered properties of user objects and not visible by default.
In order to make these attributes visible, you need to perform following steps:
1. Edit c:\windows\system32\dssec.dat file in notepad.
2. Search for [user]
3. Underneath [user], look for ServicePrincipalName=7
4. Change the value from 7 to 0.
5. Save the file and reopen Active Directory Users and Computers console.
You will now be able to see Read ServicePrincipalName and Write ServicePrincipalName for User Objects to delegate control.