spotis allowed to delegate or in other words, impersonate any user and authenticate to a file system service (CIFS) on a domain controller DC01.
msds-allowedtodelegatetoidentifies the SPNs of services the user
spotis trusted to delegate to (impersonate other domain users) and authenticate to - in this case, it's saying that the user spot is allowed to authenticate to CIFS service on DC01 on behalf of any other domain user:
msds-allowedtodelegateattribute in AD is defined here:
TRUSTED_TO_AUTH_FOR_DELEGATIONattribute in AD is defined here:
spotwho has the constrained delegation set as described earlier. Let's check that currently we cannot access the file system of the DC01 before we impersonate a domain admin user:
/altserviceswitch for: HTTP (WinRM), LDAP (DCSync), HOST (PsExec shell), MSSQLSvc (DB admin rights).