diff --git a/Bump-Version.ps1 b/Bump-Version.ps1
index 97a104b..7782ad4 100644
--- a/Bump-Version.ps1
+++ b/Bump-Version.ps1
@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Bump-Version.ps1                       ##
-## Version: 2.2.3                               ##
+## Version: 2.2.4                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 44b0d2f..34a7db2 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,14 @@ Starting with **v2.2.0**, Elysium uses a **unified project version**. All script
 
 ---
 
+## [2.2.4] — 2026-06-09
+
+### Fixed
+- `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now skips `InheritOnly` ACEs when evaluating replication rights. An ACE marked `InheritOnly` applies only to child objects, not the domain root itself, so it does not grant the required extended rights for DCSync on the domain object.
+- `Import-CompatModule` (in `Test-WeakADPasswords.ps1`) now detects DSInternals being blocked by Windows `Zone.Identifier` (alternate data stream from internet download) and throws a clear, actionable error with the exact `Unblock-File` command to run. Previously this surfaced as an opaque non-FIPS warning.
+
+---
+
 ## [2.2.3] — 2026-06-09
 
 ### Fixed
diff --git a/Elysium.Common.ps1 b/Elysium.Common.ps1
index e08300f..cc4d59b 100644
--- a/Elysium.Common.ps1
+++ b/Elysium.Common.ps1
@@ -1,4 +1,4 @@
-$script:ElysiumVersion = '2.2.3'
+$script:ElysiumVersion = '2.2.4'
 
 function Invoke-RestartWithExecutable {
     param(
@@ -379,6 +379,8 @@ function Test-ReplicationPermissions {
         $aceExistsForGuid = $false
         foreach ($ace in $acl) {
             if ($ace.AccessControlType -ne [System.Security.AccessControl.AccessControlType]::Allow) { continue }
+            # InheritOnly ACEs apply to child objects only — the domain root itself is not covered
+            if ([bool]($ace.PropagationFlags -band [System.Security.AccessControl.PropagationFlags]::InheritOnly)) { continue }
             $rights        = $ace.ActiveDirectoryRights
             $hasExtended   = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)
             $hasGenericAll = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::GenericAll)
diff --git a/Elysium.ps1 b/Elysium.ps1
index d4bb738..b5ea28b 100644
--- a/Elysium.ps1
+++ b/Elysium.ps1
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Elysium.ps1                            ##
-## Version: 2.2.3                               ##
+## Version: 2.2.4                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
diff --git a/ElysiumSettings.txt.sample b/ElysiumSettings.txt.sample
index af462c0..f3ed3f6 100644
--- a/ElysiumSettings.txt.sample
+++ b/ElysiumSettings.txt.sample
@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: ElysiumSettings.txt                    ##
-## Version: 2.2.3                               ##
+## Version: 2.2.4                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
diff --git a/Extract-NTHashes.ps1 b/Extract-NTHashes.ps1
index 85522bc..54c73d8 100644
--- a/Extract-NTHashes.ps1
+++ b/Extract-NTHashes.ps1
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Extract-NTHashes.ps1                   ##
-## Version: 2.2.3                               ##
+## Version: 2.2.4                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
diff --git a/Prepare-KHDBStorage.ps1 b/Prepare-KHDBStorage.ps1
index 3f62a19..a43b973 100644
--- a/Prepare-KHDBStorage.ps1
+++ b/Prepare-KHDBStorage.ps1
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Prepare-KHDBStorage.ps1                ##
-## Version: 2.2.3                               ##
+## Version: 2.2.4                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
diff --git a/Test-WeakADPasswords.ps1 b/Test-WeakADPasswords.ps1
index 37e8f77..6bb5e47 100644
--- a/Test-WeakADPasswords.ps1
+++ b/Test-WeakADPasswords.ps1
@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Test-WeakADPasswords.ps1               ##
-## Version: 2.2.3                               ##
+## Version: 2.2.4                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
@@ -352,7 +352,11 @@ function Import-CompatModule {
 
         $nonFipsErrors = @($importErrors | Where-Object { $_.Exception.Message -notmatch 'Only FIPS certified cryptographic algorithms are enabled in \.NET' })
         if ($nonFipsErrors.Count -gt 0) {
-            Write-Warning ("DSInternals import reported non-fatal warning(s): {0}" -f $nonFipsErrors[0].Exception.Message)
+            $nonFipsMsg = $nonFipsErrors[0].Exception.Message
+            if ($nonFipsMsg -match 'Zone\.Identifier|alternate data stream') {
+                throw ("DSInternals native DLL is blocked by Windows (Zone.Identifier). Run the following on the target machine and retry:`n  Get-ChildItem -Path '$env:ProgramFiles\WindowsPowerShell\DSInternals' -Recurse | Unblock-File")
+            }
+            Write-Warning ("DSInternals import reported non-fatal warning(s): {0}" -f $nonFipsMsg)
         }
 
         Write-Verbose ("Imported module '{0}' (Core={1}, Windows={2})" -f $Name, $runningInPSCore, $onWindows)
diff --git a/Uninstall.ps1 b/Uninstall.ps1
index 5b45a55..d7c999b 100644
--- a/Uninstall.ps1
+++ b/Uninstall.ps1
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Uninstall.ps1                          ##
-## Version: 2.2.3                               ##
+## Version: 2.2.4                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
diff --git a/Update-KHDB.ps1 b/Update-KHDB.ps1
index 6397b64..493d9f7 100644
--- a/Update-KHDB.ps1
+++ b/Update-KHDB.ps1
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Update-KHDB.ps1                        ##
-## Version: 2.2.3                               ##
+## Version: 2.2.4                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
diff --git a/Update-LithnetStore.ps1 b/Update-LithnetStore.ps1
index 528cdb4..eaa67c8 100644
--- a/Update-LithnetStore.ps1
+++ b/Update-LithnetStore.ps1
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Update-LithnetStore.ps1                ##
-## Version: 2.2.3                               ##
+## Version: 2.2.4                               ##
 ## Support: support@cqre.net                    ##
 ##################################################