When a Windows password policy implements a lockout policy, we have to resort to a much slower method to brute-force login as opposed to regular dictionary attacks. Start by using net accounts
to check lockout threshold (or use tools like enum4linux-ng
to query if not on a domain-joined machine) and plan attacks according to the observation window (do threshold - 1
attempts during a single observation window).
Try password spraying scripts on all services & admins if a valid password is found. If you are lucky, the password may be reused elsewhere by a lazy sysadmin.