Port 389 - LDAP

nmap -n -sV --script "ldap* and not brute" $IP

Null Creds:

ldapsearch -x -h $IP -D '' -w '' -b "DC=domain,DC=name"

Auth:

ldapsearch -x -h <IP> -D '<DOMAIN>\$Username' -w '$Password' -b "CN=Remote Desktop Users,CN=Builtin,DC=domain,DC=name"

If LAPS is enabled, check for admin password:

ldapsearch -x -h $IP -D 'domain\$User' -w '123123' -b "dc=domain,dc=name" "(ms-MCS-AdmPwd=*)" ms-MCS-AdmPwd