ACLight is a programme created to find privileged accounts in ActiveDirectory setups using sophisticated Access Control Lists (ACLs) analysis.

ACLight is a tool designed for discovering privileged accounts through advanced Access Control Lists (ACLs) analysis in Active Directory environments. The following steps provide a basic guide on how to use ACLight.


  1. Download ACLight:

Clone or download the ACLight repository from GitHub.

  1. Navigate to the ACLight2 Directory:

Open a PowerShell window and navigate to the ACLight2 main folder.

  1. Import the Module:

Run the following command to import the ACLight2 module:


4.      Start ACLs Analysis:

Run the following command to start the ACLs analysis:


5.      Choose the Target Domain (Optional):

By default, ACLight automatically scans all domains in the scanned network forest. If you're interested in scanning a specific domain, use the Domain parameter:



The tool generates several result files:

"Privileged Accounts - LayersAnalysis.txt":

Executive summary listing the mostprivileged accounts discovered in the scanned network.

"Privileged Accounts Permissions -Final Report.csv":

Final summary report detailing the exactsensitive permissions each account has.

"Privileged Accounts Permissions -Irregular Accounts.csv":

Similar to the final report, focusing onprivileged accounts with direct assignment of ACL permissions (not throughgroup membership).

Additional Information

  • ACLight2 offers improved scan architecture, scalability, and performance.
  • A recursive scan forms the foundation of the tool's multi-layered privileged accounts analysis.
  • You may launch the programme by double-clicking "Execute-ACLight.bat" or by following the PowerShell instructions that come with it.
Table of Contents: