Excellent work to @egre55 & @mrb3n.
Plenty of nudges in this thread. Cheers to @DaChef for banging his head against the keyboard with me because syntax is a thing :).
For user: Ensure you enumerate the listening services. You can use nmap, impacket, or other tools for this. Once you have some usernames. There are certain ways to use those and get some creds. There’s a ruby script that has been discussed in different Windows machines you can use as well.
For Root: AD enumeration is key. Get the “dog” to work. Go through the output. Google what the relationships mean if you’re not sure. Start with what your current “touches” if you’re lost. Once you find something nice, you can leverage impacket tools to get ya some fat hashes :).
DM me if you need nudges.