How can defenders detect DCSync backdoors that grant replication rights to non-privileged users?

Defenders can use automated tools like ACLight, which enumerates ACLs in Active Directory to find privileged accounts that are not members of high-privilege groups (shadow admins). It generates reports like "Privileged Accounts - Layers Analysis.txt" to flag users with DCSync permissions. The article recommends using ACLight for this detection.