cqrenet/elysium
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Release v2.4.0: DC clock skew check, SDProp/Protected Users warnings, and DSInternals install fix

Browse Source 
Added pre-flight diagnostics:
- Test-DCClockSkew: validates local/DC clock skew before DCSync to
  catch Kerberos auth failures early.
- Test-ReplicationPermissions now warns on adminCount=1 (SDProp
  protected) and Protected Users group membership (RID 525), both
  of which can silently block or revert replication rights.

Fixed DSInternals update flow:
- Replaced Update-Module with Install-Module -Force -AllowClobber
  to work around a PowerShellGet null PublishedDate bug.

All versions bumped to unified v2.4.0.
This commit is contained in:
Tomas Kracmar
2026-06-09 13:32:21 +02:00
parent 6b2ae6c8b5
commit 3ee3da745a
11 changed files with 71 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Bump-Version.ps1
+1 -1
View File
@@ -8,7 +8,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Bump-Version.ps1 ## ## File: Bump-Version.ps1 ##
## Version: 2.3.0 ## ## Version: 2.4.0 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
CHANGELOG.md
+12
View File
@@ -6,6 +6,18 @@ Starting with **v2.2.0**, Elysium uses a **unified project version**. All script
--- ---
## [2.4.0] — 2026-06-09
### Added
- **DC clock skew pre-flight check** (`Test-DCClockSkew` in `Elysium.Common.ps1`): compares the local machine clock against the target DC's `RootDSE.currentTime` before attempting DCSync. Warns if skew exceeds 300s (Kerberos hard limit) or 60s (approaching limit), and provides the `w32tm /resync /force` remediation command.
- **SDProp protection warning** in `Test-ReplicationPermissions`: detects `adminCount=1` on the service account and warns that SDProp runs every 60 minutes and may silently revert replication rights or group memberships.
- **Protected Users group warning** in `Test-ReplicationPermissions`: detects membership in the Protected Users group (RID 525) and warns that it restricts Kerberos delegation and RC4 authentication required by DSInternals for DRS replication.
### Fixed
- DSInternals auto-update flow now uses `Install-Module -Force -AllowClobber` instead of `Update-Module` to avoid a PowerShellGet bug where null `PublishedDate` metadata causes "cannot convert null to type system.datetime".
---
## [2.3.0] — 2026-06-09 ## [2.3.0] — 2026-06-09
### Added ### Added
Elysium.Common.ps1
+44 -2
View File
@@ -1,4 +1,4 @@
$script:ElysiumVersion = '2.3.0' $script:ElysiumVersion = '2.4.0'
function Invoke-RestartWithExecutable { function Invoke-RestartWithExecutable {
param( param(
@@ -338,7 +338,7 @@ function Test-ReplicationPermissions {
try { try {
$samName = $Credential.UserName -replace '^.*\\', '' $samName = $Credential.UserName -replace '^.*\\', ''
$adUser = Get-ADUser -Identity $samName -Server $Server -Credential $Credential ` $adUser = Get-ADUser -Identity $samName -Server $Server -Credential $Credential `
-Properties SID, DistinguishedName -ErrorAction Stop -Properties SID, DistinguishedName, adminCount -ErrorAction Stop
[void]$callerSids.Add($adUser.SID.Value) [void]$callerSids.Add($adUser.SID.Value)
# tokenGroups is a constructed attribute containing all SIDs in the user's token, # tokenGroups is a constructed attribute containing all SIDs in the user's token,
@@ -353,6 +353,19 @@ function Test-ReplicationPermissions {
$sid = New-Object System.Security.Principal.SecurityIdentifier($sidBytes, 0) $sid = New-Object System.Security.Principal.SecurityIdentifier($sidBytes, 0)
[void]$callerSids.Add($sid.Value) [void]$callerSids.Add($sid.Value)
} }
# adminCount=1 means SDProp is managing this account; it runs every 60 min and can
# silently revert replication rights or group memberships granted to the account
if ($adUser.adminCount -eq 1) {
Write-Warning ("Account '{0}' has adminCount=1 (SDProp-protected). It is or was a member of a privileged group. SDProp runs every 60 minutes and may silently revert replication rights or group memberships on this account." -f $Credential.UserName)
}
# Protected Users group (RID 525) blocks the Kerberos mechanisms DSInternals uses for DRS
$domainSidStr = $adUser.SID.Value.Substring(0, $adUser.SID.Value.LastIndexOf('-'))
$protectedUsersSid = "$domainSidStr-525"
if ($callerSids.Contains($protectedUsersSid)) {
Write-Warning ("Account '{0}' is a member of Protected Users. This group restricts Kerberos delegation and RC4 authentication that DSInternals requires for DRS replication — access will be denied regardless of assigned rights." -f $Credential.UserName)
}
} catch { } catch {
Write-Warning ("Could not resolve account SIDs for replication permission pre-check: {0}. Skipping." -f $_.Exception.Message) Write-Warning ("Could not resolve account SIDs for replication permission pre-check: {0}. Skipping." -f $_.Exception.Message)
return return
@@ -409,3 +422,32 @@ function Test-ReplicationPermissions {
Write-Host ("[+] Replication permissions verified for '{0}'." -f $Credential.UserName) Write-Host ("[+] Replication permissions verified for '{0}'." -f $Credential.UserName)
} }
function Test-DCClockSkew {
param(
[Parameter(Mandatory)][string]$Server,
[Parameter(Mandatory)][System.Management.Automation.PSCredential]$Credential
)
try {
$rootDse = New-Object System.DirectoryServices.DirectoryEntry(
"LDAP://$Server/RootDSE",
$Credential.UserName,
$Credential.GetNetworkCredential().Password
)
$dcTimeStr = $rootDse.Properties['currentTime'][0]
$dcTime = [datetime]::ParseExact(
$dcTimeStr, 'yyyyMMddHHmmss.0Z',
[System.Globalization.CultureInfo]::InvariantCulture,
[System.Globalization.DateTimeStyles]::AssumeUniversal).ToUniversalTime()
$skewSeconds = [Math]::Abs(([datetime]::UtcNow - $dcTime).TotalSeconds)
if ($skewSeconds -gt 300) {
Write-Warning ("Clock skew of {0:N0}s with '{1}' exceeds Kerberos limit of 300s — authentication will fail. Sync the clock: w32tm /resync /force" -f $skewSeconds, $Server)
} elseif ($skewSeconds -gt 60) {
Write-Warning ("Clock skew of {0:N0}s detected with '{1}'. Kerberos allows up to 300s — approaching the limit." -f $skewSeconds, $Server)
} else {
Write-Host ("[+] Clock skew with '{0}': {1:N0}s (OK)." -f $Server, $skewSeconds)
}
} catch {
Write-Warning ("Could not check clock skew against '{0}': {1}" -f $Server, $_.Exception.Message)
}
}
Elysium.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Elysium.ps1 ## ## File: Elysium.ps1 ##
## Version: 2.3.0 ## ## Version: 2.4.0 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
ElysiumSettings.txt.sample
+1 -1
View File
@@ -8,7 +8,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: ElysiumSettings.txt ## ## File: ElysiumSettings.txt ##
## Version: 2.3.0 ## ## Version: 2.4.0 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
Extract-NTHashes.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Extract-NTHashes.ps1 ## ## File: Extract-NTHashes.ps1 ##
## Version: 2.3.0 ## ## Version: 2.4.0 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
Prepare-KHDBStorage.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Prepare-KHDBStorage.ps1 ## ## File: Prepare-KHDBStorage.ps1 ##
## Version: 2.3.0 ## ## Version: 2.4.0 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
Test-WeakADPasswords.ps1
+7 -4
View File
@@ -8,7 +8,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Test-WeakADPasswords.ps1 ## ## File: Test-WeakADPasswords.ps1 ##
## Version: 2.3.0 ## ## Version: 2.4.0 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
@@ -398,12 +398,14 @@ $dsInternalsVersion = (Get-Module -Name DSInternals).Version
$minimumVersion = [version]'7.0' $minimumVersion = [version]'7.0'
$unsignedVersion = [version]'6.2' $unsignedVersion = [version]'6.2'
if ($dsInternalsVersion -eq $unsignedVersion) { if ($dsInternalsVersion -eq $unsignedVersion) {
Write-Warning ("DSInternals {0} is not digitally signed, which blocks its native DLLs and causes replication failures. Update to v7.0+: Update-Module DSInternals" -f $dsInternalsVersion) Write-Warning ("DSInternals {0} is not digitally signed, which blocks its native DLLs and causes replication failures. Update to v7.0+: Install-Module DSInternals -Force -AllowClobber" -f $dsInternalsVersion)
} elseif ($dsInternalsVersion -lt $minimumVersion) { } elseif ($dsInternalsVersion -lt $minimumVersion) {
$resp = Read-Host ("DSInternals {0} is installed; v7.0 fixes intermittent replication CRC errors and result truncation. Update now? [Y/N]" -f $dsInternalsVersion) $resp = Read-Host ("DSInternals {0} is installed; v7.0 fixes intermittent replication CRC errors and result truncation. Update now? [Y/N]" -f $dsInternalsVersion)
if ($resp -match '^(?i:y|yes)$') { if ($resp -match '^(?i:y|yes)$') {
try { try {
Update-Module -Name DSInternals -Force -ErrorAction Stop # Install-Module -Force is used instead of Update-Module to avoid a PowerShellGet bug
# where null PublishedDate metadata causes "cannot convert null to type system.datetime"
Install-Module -Name DSInternals -Force -AllowClobber -ErrorAction Stop
Write-Host '[+] DSInternals updated. Please re-run the script to load the new version.' Write-Host '[+] DSInternals updated. Please re-run the script to load the new version.'
exit 0 exit 0
} catch { } catch {
@@ -602,9 +604,10 @@ function Test-WeakADPasswords {
Write-Verbose ("Using credential supplied by caller: {0}" -f $credential.UserName) Write-Verbose ("Using credential supplied by caller: {0}" -f $credential.UserName)
} }
# Verify the account has the three replication extended rights before attempting DCSync # Pre-flight checks before attempting DCSync
try { try {
$domainInfo = Get-ADDomain -Server $selectedDomain["DC"] -Credential $credential -ErrorAction Stop $domainInfo = Get-ADDomain -Server $selectedDomain["DC"] -Credential $credential -ErrorAction Stop
Test-DCClockSkew -Server $selectedDomain["DC"] -Credential $credential
Test-ReplicationPermissions -DomainDN $domainInfo.DistinguishedName ` Test-ReplicationPermissions -DomainDN $domainInfo.DistinguishedName `
-Server $selectedDomain["DC"] -Credential $credential -Server $selectedDomain["DC"] -Credential $credential
} catch { } catch {
Uninstall.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Uninstall.ps1 ## ## File: Uninstall.ps1 ##
## Version: 2.3.0 ## ## Version: 2.4.0 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
Update-KHDB.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Update-KHDB.ps1 ## ## File: Update-KHDB.ps1 ##
## Version: 2.3.0 ## ## Version: 2.4.0 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
Update-LithnetStore.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Update-LithnetStore.ps1 ## ## File: Update-LithnetStore.ps1 ##
## Version: 2.3.0 ## ## Version: 2.4.0 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################