A helper script for enabling disabled PZ rules in BloodHound Enterprise (BHE).
enable_disabled_privilege_zone_rules.py is a utility script that connects to a BloodHound Enterprise tenant via the API and enables all disabled Privilege Zone Rules (implemented as Asset Group Tag Selectors).
This is useful for:
- Recovering from bulk rule disablement
- Auditing and restoring Privilege Zone coverage
- Automating tenant hygiene tasks
By default, the script runs in dry-run mode and will only report what it would change.
- Python 3.8+
requests
Install dependencies:
pip install requestsYou can authenticate in two ways:
--token-id <TOKEN_ID> \
--token-key <TOKEN_KEY>token-id: Public identifiertoken-key: Secret key (shown only once when created)
--jwt <JWT_TOKEN>You can extract this from your browser session.
python enable_disabled_privilege_zone_rules.py \
--tenant-url https://your-tenant.bloodhoundenterprise.io \
--token-id "$BHE_TOKEN_ID" \
--token-key "$BHE_TOKEN_KEY"This will:
- Enumerate all Asset Group Tags
- Identify disabled selectors (Privilege Zone Rules)
- Print what would be enabled
python enable_disabled_privilege_zone_rules.py \
--tenant-url https://your-tenant.bloodhoundenterprise.io \
--token-id "$BHE_TOKEN_ID" \
--token-key "$BHE_TOKEN_KEY" \
--applyThis will actively enable all disabled rules.
Found disabled rule: tag='Domain Admins' tag_id=123 selector='High Value Users' selector_id=456
Found 1 disabled rule(s).
Enabled selector_id=456 on tag_id=123
Done.
- The script uses signed API authentication when using token ID/key
- Query parameters are included in request signing (required by BHE API)
- Safe to run repeatedly; already-enabled rules are ignored
Use with caution in production environments. While the script is designed to be safe and idempotent, it will modify Privilege Zone rule state when run with --apply.
- Tag filtering (
--tag-name/--tag-id) - CSV/JSON export of findings
- Parallel execution for large tenants
- Logging to file
MIT (or your preferred license)