A domain administrator can enable a server process to delegate client credentials by designating the account under which that process runs as “trusted for delegation.” If the account is a custom user account, say DOMA\Bob, the administrator for DOMA configures the Bob account this way. On the other hand, if the server process is configured to run as either Network Service or SYSTEM, the server is using the machine's credentials and therefore the administrator needs to grant delegation privileges to the computer account for the computer where that server process runs.

On Windows 2000, delegation is a binary choice. Either you allow a principal to delegate client credentials or you don't. ...