# polenum (obtained through MS-RPC)
polenum -d $DOMAIN -u $USER -p $PASSWORD -d $DOMAIN
# CrackMapExec (obtained through MS-RPC)
cme smb $DOMAIN_CONTROLLER -d $DOMAIN -u $USER -p $PASSWORD --pass-pol
# ldapsearch-ad (obtained through LDAP)
ldapsearch-ad.py -l $LDAP_SERVER -d $DOMAIN -u $USER -p $PASSWORD -t pass-pol
# enum4linux-ng (obtained through MS-RPC)
enum4linux-ng -P -w -u $USER -p $PASSWORD $DOMAIN_CONTROLLER