rdp

Enumerate the remote desktop users group

Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Desktop Users"

Check domain user group local admin & execution rights (Bloodhound)

Node info tab > Execution rights section > first degree RDP privileges

Find workstations/servers where domain users can RDP

Analysis Tab

WinRM

Enumerate the Remote Management users group

Built-In tool

Get-NetLocalGroupMember -ComputerName ACADEMY-EA-MS01 -GroupName "Remote Management Users"

Bloodhound

Add raw query to the bloodhound custom query #customquery

MATCH p1=shortestPath((u1:User)-[r1:MemberOf*1..]->(g1:Group)) MATCH p2=(u1)-[:CanPSRemote*1..]->(c:Computer) RETURN p2