# list PKIs/CAs
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M adcs
# list subnets referenced in AD-SS
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M subnets
# machine account quota
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M maq
# users description
cme ldap "domain_controller" -d "domain" -u "user" -p "password" -M get-desc-users
ldapdomaindump is an Active Directory information dumper via LDAP, outputting information in human-readable HTML files.
ldapdomaindump --user 'DOMAIN\USER' --password $PASSWORD --outdir ldapdomaindump $DOMAIN_CONTROLLER
LDAP anonymous binding is usually disabled but it's worth checking. It could be handy to list the users and test for ASREProasting (since this attack needs no authentication).