cqrenet/elysium
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Release v2.2.4: permission check InheritOnly fix and DSInternals block detection

Browse Source 
Test-ReplicationPermissions:
- Skip InheritOnly ACEs since they do not apply to the domain root
  object itself, only to child objects.

Test-WeakADPasswords:
- Detect Windows Zone.Identifier blocks on DSInternals DLLs and
  emit a clear error with the exact Unblock-File remediation
  command instead of a vague warning.

All versions bumped to unified v2.2.4.
This commit is contained in:
Tomas Kracmar
2026-06-09 13:07:46 +02:00
parent 9496063b97
commit 0175864e72
11 changed files with 25 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Elysium.Common.ps1
+3 -1
View File
@@ -1,4 +1,4 @@
$script:ElysiumVersion = '2.2.3'
$script:ElysiumVersion = '2.2.4'
function Invoke-RestartWithExecutable {
param(
@@ -379,6 +379,8 @@ function Test-ReplicationPermissions {
$aceExistsForGuid = $false
foreach ($ace in $acl) {
if ($ace.AccessControlType -ne [System.Security.AccessControl.AccessControlType]::Allow) { continue }
# InheritOnly ACEs apply to child objects only — the domain root itself is not covered
if ([bool]($ace.PropagationFlags -band [System.Security.AccessControl.PropagationFlags]::InheritOnly)) { continue }
$rights = $ace.ActiveDirectoryRights
$hasExtended = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)
$hasGenericAll = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::GenericAll)