Users with the privilege to impersonate can act with the identity of other users. In Windows this requires SeImpersonatePrivilege. Often times service accounts with SeImpersonatePrivilege can be exploited to obtain SYSTEM access (see common Windows exploits).
Testing Access
To test if a user has access to a machine, try listing C:, which requires local administrator access.
Common impersonation / lateral movement techniques: