*NIX:
you can get a list of usernames through the website...visit the site and write down any email adresses you can find because email adresses are also usually valid login names. you can also run a "whois" and "nslookup" on the domain / host - this will give give you some more email adresses...that of the administrator, etc.
my third suggestion is to telnet to the finger port (port 79) - of one exists...or you can also use a finger client for windoze, e.g. Sam Spade ...
my fourth suggestion is to try some of the default accounts and passwords (weak passwords)


NT:
perhaps you can use a null IPC session and the SID tools to get all user names for a specific pc or the whole domain.

www.hackingexposed.com