> ## Documentation Index
> Fetch the complete documentation index at: https://bloodhound.specterops.io/llms.txt
> Use this file to discover all available pages before exploring further.
# WriteAccountRestrictions
> This edge indicates the principal has the ability to modify several properties on the target principal, most notably the msDS-AllowedToActOnBehalfOfOtherIdentity attribute.
The ability to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property allows an attacker to abuse resource-based constrained delegation to compromise the remote computer system. This property is a binary DACL that controls what security principals can pretend to be any domain user to the particular computer object.
This clip demonstrates how to abuse this edge:
## Abuse Info
See the AllowedToAct edge section for abuse info
## Opsec Considerations
See the AllowedToAct edge section for opsec considerations
## Edge Schema
Source: [User](/resources/nodes/user), [Group](/resources/nodes/group), [Computer](/resources/nodes/computer)\
Destination: [User](/resources/nodes/user), [Computer](/resources/nodes/computer)\
Traversable: **Yes**
## References
* [https://attack.mitre.org/techniques/T1098/](https://attack.mitre.org/techniques/T1098/)
* [https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/](https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/)
* [https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-account-restrictions](https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-account-restrictions)
* [https://specterops.io/blog/2022/08/03/introducing-bloodhound-4-2-the-azure-refactor/](https://specterops.io/blog/2022/08/03/introducing-bloodhound-4-2-the-azure-refactor/)
The ability to modify the msDS-AllowedToActOnBehalfOfOtherIdentity property allows an attacker to abuse resource-based constrained delegation to compromise the remote computer system. This property is a binary DACL that controls what security principals can pretend to be any domain user to the particular computer object.
This clip demonstrates how to abuse this edge:
## Abuse Info
See the AllowedToAct edge section for abuse info
## Opsec Considerations
See the AllowedToAct edge section for opsec considerations
## Edge Schema
Source: [User](/resources/nodes/user), [Group](/resources/nodes/group), [Computer](/resources/nodes/computer)\
Destination: [User](/resources/nodes/user), [Computer](/resources/nodes/computer)\
Traversable: **Yes**
## References
* [https://attack.mitre.org/techniques/T1098/](https://attack.mitre.org/techniques/T1098/)
* [https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/](https://dirkjanm.io/abusing-forgotten-permissions-on-precreated-computer-objects-in-active-directory/)
* [https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-account-restrictions](https://docs.microsoft.com/en-us/windows/win32/adschema/r-user-account-restrictions)
* [https://specterops.io/blog/2022/08/03/introducing-bloodhound-4-2-the-azure-refactor/](https://specterops.io/blog/2022/08/03/introducing-bloodhound-4-2-the-azure-refactor/)