From a1ae22b0c99ed87721a658031b8f13b8613b0ead Mon Sep 17 00:00:00 2001
From: Herbert Mauerer <41573578+HerbertMauerer@users.noreply.github.com>
Date: Tue, 3 Feb 2026 08:50:37 +0100
Subject: [PATCH] Enhance documentation for
 -PrincipalsAllowedToDelegateToAccount

Added information on specifying accounts from the same and different domains.
---
 docset/winserver2025-ps/ActiveDirectory/Set-ADServiceAccount.md | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/docset/winserver2025-ps/ActiveDirectory/Set-ADServiceAccount.md b/docset/winserver2025-ps/ActiveDirectory/Set-ADServiceAccount.md
index 70d18e4513..2d6c04bc70 100644
--- a/docset/winserver2025-ps/ActiveDirectory/Set-ADServiceAccount.md
+++ b/docset/winserver2025-ps/ActiveDirectory/Set-ADServiceAccount.md
@@ -595,6 +595,8 @@ Accept wildcard characters: False
 Specifies the accounts which can act on the behalf of users to services running as this Managed Service Account or Group Managed Service Account.
 This parameter sets the **msDS-AllowedToActOnBehalfOfOtherIdentity** attribute of the object.
 
+You can specify the Distinguished Name of an account when it is from the same domain as the account in focus. When you want a security principal from another domain, you need to construct an ADPrincipal object with the desired account, for example using Get-ADGroup.
+
 ```yaml
 Type: ADPrincipal[]
 Parameter Sets: Identity