Different to Unconstrained this attack is still dangerous in it's own way, since now it is constrained to "what" can be impersonated all that is needed it to wait for the correct user and the correct or targeted permissions that we are searching for and we can gain access as well to what our goal is, it doesn't necessarily need to be the DC or DA in any matter, yes it will make it easier to reach, but what if the gaol is to get a Database?. Well we should wait for a user that contains SQL permissions, a Webserver?? HTTP Services, and a very promisable one, what if we get a user that has only LDAP permissions we can use an attack called DCSync attack that will permit us to Dump hashes of the entire domain. Yes. The entire domain.