What attributes can be modified on a machine account created via MAQ, and why is this useful?

Non-privileged users can modify attributes such as AccountDisabled, DnsHostName, ServicePrincipalName (SPN), msDS-AllowedToActOnBehalfOfOtherIdentity, and userAccountControl on machine accounts they create via MAQ. This flexibility allows attackers to enable delegation, set SPNs for Kerberos attacks, or disable the account to avoid detection, as detailed in Domain Penetration - DNS Records and MachineAccount.