How can user credetials be leveraged when doing a penetration test for a Windows network?

Assume the following scenario:

• NTLMv2 only


• Only Vista machines or higher


• Remote desktop disabled throughout network


• No open shares

psexec needs administrative level access. Without any shares or way to remotly login, are any credentials captured useless in such a network?

If not, how could they be leveraged to gain further access?