WriteAccountRestrictions (WAR)

This report analyzes how the User-Account-Restrictions (WAR) property set, when delegated broadly (often at the domain root), enables attackers to modify UserAccountControl, enable/disable accounts, force password changes, and perform resource-based constrained delegation (RBCD). The author demonstrates multiple PoC attack paths—resurrecting disabled machine accounts, forcing password resets and DNS modification to capture Kerberos tickets, abusing Zerologon to DRSUAPI dump DC credentials, and leveraging WAR for targeted AS-REPs and service impersonation—then gives practical defensive recommendations such as auditing broad delegations, using staging OUs, and isolating disabled accounts.