From 27a682a968e816e32dfb0b39aeb6fd0b52255283 Mon Sep 17 00:00:00 2001 From: Tomas Kracmar Date: Tue, 9 Jun 2026 11:41:14 +0200 Subject: [PATCH] Release v2.2.2: fix replication permission check for nested groups Test-ReplicationPermissions now uses the tokenGroups constructed attribute to resolve all effective SIDs in the caller's Kerberos token, including nested group memberships. This replaces the previous MemberOf walk which missed indirect entitlement and could produce false-positive missing-permission errors. All versions bumped to unified v2.2.2. --- Bump-Version.ps1 | 2 +- CHANGELOG.md | 7 +++++++ Elysium.Common.ps1 | 22 ++++++++++++++-------- Elysium.ps1 | 2 +- ElysiumSettings.txt.sample | 2 +- Extract-NTHashes.ps1 | 2 +- Prepare-KHDBStorage.ps1 | 2 +- Test-WeakADPasswords.ps1 | 2 +- Uninstall.ps1 | 2 +- Update-KHDB.ps1 | 2 +- Update-LithnetStore.ps1 | 2 +- 11 files changed, 30 insertions(+), 17 deletions(-) diff --git a/Bump-Version.ps1 b/Bump-Version.ps1 index 756fa22..850f66d 100644 --- a/Bump-Version.ps1 +++ b/Bump-Version.ps1 @@ -8,7 +8,7 @@ ################################################## ## Project: Elysium ## ## File: Bump-Version.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/CHANGELOG.md b/CHANGELOG.md index f4adba2..68700e6 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,13 @@ Starting with **v2.2.0**, Elysium uses a **unified project version**. All script --- +## [2.2.2] — 2026-06-09 + +### Fixed +- `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now resolves the caller's **effective token SIDs** via the `tokenGroups` constructed attribute instead of walking `MemberOf` directly. This correctly accounts for nested group memberships and avoids false-positive "missing permissions" errors when the account is entitled through nested groups. + +--- + ## [2.2.1] — 2026-06-09 ### Changed diff --git a/Elysium.Common.ps1 b/Elysium.Common.ps1 index e9f4cae..9350fbb 100644 --- a/Elysium.Common.ps1 +++ b/Elysium.Common.ps1 @@ -1,4 +1,4 @@ -$script:ElysiumVersion = '2.2.1' +$script:ElysiumVersion = '2.2.2' function Invoke-RestartWithExecutable { param( @@ -338,14 +338,20 @@ function Test-ReplicationPermissions { try { $samName = $Credential.UserName -replace '^.*\\', '' $adUser = Get-ADUser -Identity $samName -Server $Server -Credential $Credential ` - -Properties SID, MemberOf -ErrorAction Stop + -Properties SID, DistinguishedName -ErrorAction Stop [void]$callerSids.Add($adUser.SID.Value) - foreach ($groupDN in @($adUser.MemberOf)) { - try { - $g = Get-ADGroup -Identity $groupDN -Server $Server -Credential $Credential ` - -Properties SID -ErrorAction Stop - [void]$callerSids.Add($g.SID.Value) - } catch { } + + # tokenGroups is a constructed attribute containing all SIDs in the user's token, + # including nested group memberships — more reliable than walking MemberOf recursively + $userDe = New-Object System.DirectoryServices.DirectoryEntry( + "LDAP://$Server/$($adUser.DistinguishedName)", + $Credential.UserName, + $Credential.GetNetworkCredential().Password + ) + $userDe.RefreshCache(@('tokenGroups')) + foreach ($sidBytes in $userDe.Properties['tokenGroups']) { + $sid = New-Object System.Security.Principal.SecurityIdentifier($sidBytes, 0) + [void]$callerSids.Add($sid.Value) } } catch { Write-Warning ("Could not resolve account SIDs for replication permission pre-check: {0}. Skipping." -f $_.Exception.Message) diff --git a/Elysium.ps1 b/Elysium.ps1 index 8da0156..367e725 100644 --- a/Elysium.ps1 +++ b/Elysium.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Elysium.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/ElysiumSettings.txt.sample b/ElysiumSettings.txt.sample index 3ac8bf2..17ea414 100644 --- a/ElysiumSettings.txt.sample +++ b/ElysiumSettings.txt.sample @@ -8,7 +8,7 @@ ################################################## ## Project: Elysium ## ## File: ElysiumSettings.txt ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Extract-NTHashes.ps1 b/Extract-NTHashes.ps1 index 07e068b..27057d9 100644 --- a/Extract-NTHashes.ps1 +++ b/Extract-NTHashes.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Extract-NTHashes.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Prepare-KHDBStorage.ps1 b/Prepare-KHDBStorage.ps1 index c9db7a4..8884010 100644 --- a/Prepare-KHDBStorage.ps1 +++ b/Prepare-KHDBStorage.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Prepare-KHDBStorage.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Test-WeakADPasswords.ps1 b/Test-WeakADPasswords.ps1 index 07406d9..ccda120 100644 --- a/Test-WeakADPasswords.ps1 +++ b/Test-WeakADPasswords.ps1 @@ -8,7 +8,7 @@ ################################################## ## Project: Elysium ## ## File: Test-WeakADPasswords.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Uninstall.ps1 b/Uninstall.ps1 index 5261bca..74ba211 100644 --- a/Uninstall.ps1 +++ b/Uninstall.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Uninstall.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Update-KHDB.ps1 b/Update-KHDB.ps1 index 1064cd5..16eb3a2 100644 --- a/Update-KHDB.ps1 +++ b/Update-KHDB.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Update-KHDB.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ################################################## diff --git a/Update-LithnetStore.ps1 b/Update-LithnetStore.ps1 index 1d016e3..e9bb714 100644 --- a/Update-LithnetStore.ps1 +++ b/Update-LithnetStore.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Update-LithnetStore.ps1 ## -## Version: 2.2.1 ## +## Version: 2.2.2 ## ## Support: support@cqre.net ## ##################################################