Setting via PowerShell for an user object:
Set-ADUser -Identity ServiceAccount -Add @{'msDS-AllowedToDelegateTo'=@('HTTP/app1.domain.com','HTTP/app2.domain.com')}Setting via PowerShell for a computer object:
Set-ADComputer -Identity ComputerAccount -Add @{'msDS-AllowedToDelegateTo'=@('HOST/System1')}
Referring to Determining Users Configured With “Trusted For Delegation” here are two ways to find user accounts or computer accounts configured for Constrained Delegation
Find Users:
Get-ADUser -SearchBase "DC=domain,DC=local" -LdapFilter "(&(userAccountControl:1.2.840.113556.1.4.803:=16777216)(msDS-AllowedToDelegateTo=*))" | %{$_.DistinguishedName}Find Computers:
Get-ADComputer -SearchBase "DC=domain,DC=local" -LdapFilter "(&(userAccountControl:1.2.840.113556.1.4.803:=16777216)(msDS-AllowedToDelegateTo=*))" | %{$_.DistinguishedName}