diff --git a/Bump-Version.ps1 b/Bump-Version.ps1 index 756fa22..850f66d 100644 --- a/Bump-Version.ps1 +++ b/Bump-Version.ps1 @@ -8,7 +8,7 @@ ################################################## ## Project: Elysium ## ## File: Bump-Version.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/CHANGELOG.md b/CHANGELOG.md index f4adba2..68700e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ Starting with **v2.2.0**, Elysium uses a **unified project version**. All script --- +## [2.2.2] — 2026-06-09 + +### Fixed +- `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now resolves the caller's **effective token SIDs** via the `tokenGroups` constructed attribute instead of walking `MemberOf` directly. This correctly accounts for nested group memberships and avoids false-positive "missing permissions" errors when the account is entitled through nested groups. + +--- + ## [2.2.1] — 2026-06-09 ### Changed diff --git a/Elysium.Common.ps1 b/Elysium.Common.ps1 index e9f4cae..9350fbb 100644 --- a/Elysium.Common.ps1 +++ b/Elysium.Common.ps1 @@ -1,4 +1,4 @@ -$script:ElysiumVersion = '2.2.1' +$script:ElysiumVersion = '2.2.2' function Invoke-RestartWithExecutable { param( @@ -338,14 +338,20 @@ function Test-ReplicationPermissions { try { $samName = $Credential.UserName -replace '^.*\\', '' $adUser = Get-ADUser -Identity $samName -Server $Server -Credential $Credential ` - -Properties SID, MemberOf -ErrorAction Stop + -Properties SID, DistinguishedName -ErrorAction Stop [void]$callerSids.Add($adUser.SID.Value) - foreach ($groupDN in @($adUser.MemberOf)) { - try { - $g = Get-ADGroup -Identity $groupDN -Server $Server -Credential $Credential ` - -Properties SID -ErrorAction Stop - [void]$callerSids.Add($g.SID.Value) - } catch { } + + # tokenGroups is a constructed attribute containing all SIDs in the user's token, + # including nested group memberships — more reliable than walking MemberOf recursively + $userDe = New-Object System.DirectoryServices.DirectoryEntry( + "LDAP://$Server/$($adUser.DistinguishedName)", + $Credential.UserName, + $Credential.GetNetworkCredential().Password + ) + $userDe.RefreshCache(@('tokenGroups')) + foreach ($sidBytes in $userDe.Properties['tokenGroups']) { + $sid = New-Object System.Security.Principal.SecurityIdentifier($sidBytes, 0) + [void]$callerSids.Add($sid.Value) } } catch { Write-Warning ("Could not resolve account SIDs for replication permission pre-check: {0}. Skipping." -f $_.Exception.Message) diff --git a/Elysium.ps1 b/Elysium.ps1 index 8da0156..367e725 100644 --- a/Elysium.ps1 +++ b/Elysium.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Elysium.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/ElysiumSettings.txt.sample b/ElysiumSettings.txt.sample index 3ac8bf2..17ea414 100644 --- a/ElysiumSettings.txt.sample +++ b/ElysiumSettings.txt.sample @@ -8,7 +8,7 @@ ################################################## ## Project: Elysium ## ## File: ElysiumSettings.txt ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Extract-NTHashes.ps1 b/Extract-NTHashes.ps1 index 07e068b..27057d9 100644 --- a/Extract-NTHashes.ps1 +++ b/Extract-NTHashes.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Extract-NTHashes.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Prepare-KHDBStorage.ps1 b/Prepare-KHDBStorage.ps1 index c9db7a4..8884010 100644 --- a/Prepare-KHDBStorage.ps1 +++ b/Prepare-KHDBStorage.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Prepare-KHDBStorage.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Test-WeakADPasswords.ps1 b/Test-WeakADPasswords.ps1 index 07406d9..ccda120 100644 --- a/Test-WeakADPasswords.ps1 +++ b/Test-WeakADPasswords.ps1 @@ -8,7 +8,7 @@ ################################################## ## Project: Elysium ## ## File: Test-WeakADPasswords.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Uninstall.ps1 b/Uninstall.ps1 index 5261bca..74ba211 100644 --- a/Uninstall.ps1 +++ b/Uninstall.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Uninstall.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Update-KHDB.ps1 b/Update-KHDB.ps1 index 1064cd5..16eb3a2 100644 --- a/Update-KHDB.ps1 +++ b/Update-KHDB.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Update-KHDB.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Update-LithnetStore.ps1 b/Update-LithnetStore.ps1 index 1d016e3..e9bb714 100644 --- a/Update-LithnetStore.ps1 +++ b/Update-LithnetStore.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Update-LithnetStore.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ##################################################