- Double click on “Execute-ACLight.bat”.
- Open PowerShell (with -ExecutionPolicy Bypass)
- Go to “ACLight” main folder
- “Import-Module ‘.\ACLight.psm1’”
Reading the results files:
- First check the – “Accounts with extra permissions.txt” file – It’s straight-forward & important list of the privileged accounts that were discovered in the scanned network.
- “All entities with extra permissions.txt” – The file lists all the privileged entities that were discovered, it will include not only the user accounts but also other “empty” entities like empty groups or old accounts.
- “Privileged Accounts Permissions – Final Report.csv” – This is the final summary report – in this file you will find what are the exact sensitive permissions each account has.
- “Privileged Accounts Permissions – Irregular Accounts.csv” – Similar to the final report with only the privileged accounts that have direct assignment of ACL permissions (not through their group membership).
- “[Domain name] – Full Output.csv” – Raw ACLs output for each scanned domain.
Scalability – scanning very large networks or networks with multiple trusted domains:
The tool by default will scan automatically all the domains in the target scanned AD forest.
If you want to scan a specific domain and not the others – you can just close those domains’ pop-up windows when they show up and continue regularly.
If you are scanning very large network (e.g. 50,000+ users in one domain) and encounter memory limitations during the scan – there are some tips you can check in the “issue” page.
The tool uses functions from the open source project PowerView by Will Schroeder (@harmj0y) – a great project.
For more comments and questions, you can contact Asaf Hecht (@Hechtov) and CyberArk Labs.