Constrained Delegation is a way to limit exactly what services a particular machine/account can access while impersonating other users. The "service" specified is a service principal name that the account is allowed to access while impersonating other users. PowerView can help in locating these attributes, the field of interest is the msds-allowedtodelegateto, but there's also a modification to the accounts' userAccountControl property. Essentially, if a computer/user object has a userAccountControl value containing TRUSTED_TO_AUTH_FOR_DELEGATION then anyone who compromises that account can impersonate any user to the SPNs set in the msds-allowedtodelegateto. Benjamin Delpy metioned that SeEnableDelegationPrivilege being required to actually modify the parameters.