How can an attacker outside the domain obtain the domain password policy using LDAP and valid domain credentials?

If port 389 (LDAP) on the domain controller is accessible, use a tool like ldapsearch on Kali with a known domain user's credentials. The command is: `ldapsearch -x -H ldap://DC_IP:389 -D "CN=username,CN=Users,DC=domain,DC=com" -w password -b "DC=domain,DC=com" | grep replUpToDateVector -A 13`. The output contains the raw password policy values (e.g., maxPwdAge, lockoutDuration) which you then convert. This method is covered in detail in Penetration Basics - Obtaining Domain User Password Policies.