NetExec has a ton of useful LDAP recon commands, see that page.
[This] is a checklist to go through when conducting a pentest. Order is irrelevant and many tests require authenticated or admin access. This checklist answers "what to audit on AD?" rather than "how to pwn AD?” Items:
NTLM configuration
Kerberos configuration
Patch management
Access Management (IAM/PAM)
Credentials Management
Domain-level configuration and best-practices
Networking, protocols and services
Active Directory Certificate Services
Lists all domain users – net user /domain Obtain information about a user – net user <USER> /domain List users/information about a domain group – net group “<GROUP>” /domain Obtain Domain Controllers – nltest /dclist:<DOMAIN> Identify domain trusts – nltest /trusted_domains Lists all groups in a domain – net group /domain Run command prompt as another user within the context of the domain – runas /netonly /user:USERS\DOMAIN cmd.exe
[System.DirectoryServices.ActiveDirectory.Forest]::GetCurrentForest().Sites.Subnets
This only works if LDAP anonymous binding is enabled (I think) which it usually isn’t.