Ping Castle has a free edition (requires installation and .net framework 3.5).

This tool will scan AD for a variety of security issues, including krbtgt password dated, admin accounts not in protected group / allowing delegation (reuse of krb ticket), control paths to permit unprivileged users to gain privileges (by hopping through groups/delegations), vulnerable schema classes, DES enablement on accounts, orphaned SIDs still in security groups, non-existent computers with active accounts… And the list goes on.

Highly recommended, and free for internal/personal use.

https://www.pingcastle.com/