cqrenet/elysium
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Release v2.2.3: improve replication permission detection

Browse Source 
Test-ReplicationPermissions now recognizes:
- GenericAll as satisfying replication rights
- Blanket ExtendedRight (empty ObjectType) ACEs

Also adds diagnostic hints distinguishing between
'missing ACE entirely' and 'ACE exists but not for you'.

All versions bumped to unified v2.2.3.
This commit is contained in:
Tomas Kracmar
2026-06-09 11:53:44 +02:00
parent 27a682a968
commit 715f2c18ed
11 changed files with 39 additions and 16 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Bump-Version.ps1
+1 -1
View File
@@ -8,7 +8,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Bump-Version.ps1 ## ## File: Bump-Version.ps1 ##
## Version: 2.2.2 ## ## Version: 2.2.3 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
CHANGELOG.md
+8
View File
@@ -6,6 +6,14 @@ Starting with **v2.2.0**, Elysium uses a **unified project version**. All script
--- ---
## [2.2.3] — 2026-06-09
### Fixed
- `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now correctly recognizes `GenericAll` and blanket `ExtendedRight` (empty ObjectType) ACEs as satisfying replication permission requirements. Previously, only exact GUID-matched ExtendedRight ACEs were detected, causing false negatives when rights were granted via broader permissions.
- Improved error diagnostics: the missing-rights message now indicates whether an ACE for the specific right exists on the domain object but is not assigned to the caller, versus no ACE existing at all.
---
## [2.2.2] — 2026-06-09 ## [2.2.2] — 2026-06-09
### Fixed ### Fixed
Elysium.Common.ps1
+22 -7
View File
@@ -1,4 +1,4 @@
$script:ElysiumVersion = '2.2.2' $script:ElysiumVersion = '2.2.3'
function Invoke-RestartWithExecutable { function Invoke-RestartWithExecutable {
param( param(
@@ -374,19 +374,34 @@ function Test-ReplicationPermissions {
$missing = @() $missing = @()
foreach ($rightName in $requiredRights.Keys) { foreach ($rightName in $requiredRights.Keys) {
$guid = $requiredRights[$rightName] $guid = $requiredRights[$rightName]
$granted = $false $granted = $false
$aceExistsForGuid = $false
foreach ($ace in $acl) { foreach ($ace in $acl) {
if ($ace.AccessControlType -ne [System.Security.AccessControl.AccessControlType]::Allow) { continue } if ($ace.AccessControlType -ne [System.Security.AccessControl.AccessControlType]::Allow) { continue }
if (-not ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)) { continue } $rights = $ace.ActiveDirectoryRights
if ($ace.ObjectType -ne $guid) { continue } $hasExtended = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)
$hasGenericAll = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::GenericAll)
# Match: exact GUID, OR ExtendedRight with empty ObjectType (all extended rights), OR GenericAll
$isMatch = $hasGenericAll `
-or ($hasExtended -and $ace.ObjectType -eq [guid]::Empty) `
-or ($hasExtended -and $ace.ObjectType -eq $guid)
if (-not $isMatch) { continue }
if ($ace.ObjectType -eq $guid) { $aceExistsForGuid = $true }
if ($callerSids.Contains($ace.IdentityReference.Value)) { $granted = $true; break } if ($callerSids.Contains($ace.IdentityReference.Value)) { $granted = $true; break }
} }
if (-not $granted) { $missing += $rightName } if (-not $granted) {
$hint = if ($aceExistsForGuid) {
' (ACE exists on the domain object but is not assigned to this account or any of its groups)'
} else {
' (no ACE found for this right on the domain object at all)'
}
$missing += $rightName + $hint
}
} }
if ($missing.Count -gt 0) { if ($missing.Count -gt 0) {
throw ("Account '{0}' is missing the following replication permissions on '{1}':`n - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f ` throw ("Account '{0}' failed replication permission check on '{1}':`n - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f `
$Credential.UserName, $DomainDN, ($missing -join "`n - ")) $Credential.UserName, $DomainDN, ($missing -join "`n - "))
} }
Elysium.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Elysium.ps1 ## ## File: Elysium.ps1 ##
## Version: 2.2.2 ## ## Version: 2.2.3 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
ElysiumSettings.txt.sample
+1 -1
View File
@@ -8,7 +8,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: ElysiumSettings.txt ## ## File: ElysiumSettings.txt ##
## Version: 2.2.2 ## ## Version: 2.2.3 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
Extract-NTHashes.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Extract-NTHashes.ps1 ## ## File: Extract-NTHashes.ps1 ##
## Version: 2.2.2 ## ## Version: 2.2.3 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
Prepare-KHDBStorage.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Prepare-KHDBStorage.ps1 ## ## File: Prepare-KHDBStorage.ps1 ##
## Version: 2.2.2 ## ## Version: 2.2.3 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
Test-WeakADPasswords.ps1
+1 -1
View File
@@ -8,7 +8,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Test-WeakADPasswords.ps1 ## ## File: Test-WeakADPasswords.ps1 ##
## Version: 2.2.2 ## ## Version: 2.2.3 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
Uninstall.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Uninstall.ps1 ## ## File: Uninstall.ps1 ##
## Version: 2.2.2 ## ## Version: 2.2.3 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
Update-KHDB.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Update-KHDB.ps1 ## ## File: Update-KHDB.ps1 ##
## Version: 2.2.2 ## ## Version: 2.2.3 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################
Update-LithnetStore.ps1
+1 -1
View File
@@ -7,7 +7,7 @@
################################################## ##################################################
## Project: Elysium ## ## Project: Elysium ##
## File: Update-LithnetStore.ps1 ## ## File: Update-LithnetStore.ps1 ##
## Version: 2.2.2 ## ## Version: 2.2.3 ##
## Support: support@cqre.net ## ## Support: support@cqre.net ##
################################################## ##################################################