What external-domain methods can be used to enumerate users with 'Password Never Expires'?

From outside the domain, you can leverage the `ActiveDirectory` module by importing `Microsoft.ActiveDirectory.Management.dll` and specifying server credentials, e.g., `Search-ADAccount -Server 192.168.1.1 -Credential $cred -PasswordNeverExpires`. PowerView also works with `Get-NetUser -DomainController` and credentials. On Kali, you can use `ldapsearch` with a valid bind DN and password, then grep for `userAccountControl` and check the value manually. These enumeration techniques are commonly used in external recon phases of penetration testing, often coupled with Penetration Basics - Choosing a Suitable C2 Domain for post-exploitation.