When the flag is set on the CA, templates configured for authentication (i.e. EKUs like Client Authentication, PKINIT Client Authentication, Smart Card Logon, Any Purpose (OID 18.104.22.168.0), or no EKU (SubCA)) and allowing low-priv users to enroll can be abused to authenticate as any other user/machine/admin.
The default User template checks all the template requirements stated above.
If the CA is configured with the EDITF_ATTRIBUTESUBJECTALTNAME2 flag (admins tend to enable that flag without knowing the security implications), and the User template is enabled (which is very often), any user can escalate to domain admin.
From UNIX-like systems, Certipy (Python) can be used to enumerate info about the CAs, including the "User Specified SAN" flag state which is an alias to the EDITF_ATTRIBUTESUBJECTALTNAME2 flag.