Extra

PowerView

*local admin required
this goes through RPC and SMB ports:
Find-LocalAdminAccess -Verbose [-Thread <int>]
Invoke-CheckLocalAdminAccess

Invoke-EnumerateLocalAdmin -Verbose
Get-NetLocalGroup

using WMI is more stealthy:
Find-WMILocalAdminAccess.ps1

source: https://github.com/admin0987654321/admin1/blob/master/Find-WMILocalAdminAccess.ps1

find where the domain admin has an open session:
Invoke-UserHunter [-GroupName <name> -Domain <domain> -CheckAccess -Stealth]
Get-NetSession
Get-NetLoggedOn

enum without PowerShell:

PywerView = https://github.com/the-useless-one/pywerview
WindapSearch = https://github.com/ropnop/windapsearch