Password Policy Enumeration
From Linux
nxc smb 172.16.5.5 -u <user> -p password> --pass-pol
rpcclient -U "" -N <target-ip>
rpcclient -U "username" <target-ip>
rpcclient $> querydominfo
enum4linux -P <target-ip>
ldeep ldap -u 'USER' -p "PASS' -d 'domain.local' -s $IP domain_policy
From Windows
PowerView