From 9496063b97ddcdba37b9dbaa7aa7ab006b5731af Mon Sep 17 00:00:00 2001 From: Tomas Kracmar Date: Tue, 9 Jun 2026 11:53:44 +0200 Subject: [PATCH] Release v2.2.3: improve replication permission detection Test-ReplicationPermissions now recognizes: - GenericAll as satisfying replication rights - Blanket ExtendedRight (empty ObjectType) ACEs Also adds diagnostic hints distinguishing between 'missing ACE entirely' and 'ACE exists but not for you'. All versions bumped to unified v2.2.3. --- Bump-Version.ps1 | 2 +- CHANGELOG.md | 8 ++++++++ Elysium.Common.ps1 | 29 ++++++++++++++++++++++------- Elysium.ps1 | 2 +- ElysiumSettings.txt.sample | 2 +- Extract-NTHashes.ps1 | 2 +- Prepare-KHDBStorage.ps1 | 2 +- Test-WeakADPasswords.ps1 | 2 +- Uninstall.ps1 | 2 +- Update-KHDB.ps1 | 2 +- Update-LithnetStore.ps1 | 2 +- 11 files changed, 39 insertions(+), 16 deletions(-) diff --git a/Bump-Version.ps1 b/Bump-Version.ps1 index 850f66d..97a104b 100644 --- a/Bump-Version.ps1 +++ b/Bump-Version.ps1 @@ -8,7 +8,7 @@ ################################################## ## Project: Elysium ## ## File: Bump-Version.ps1 ## -## Version: 2.2.2 ## +## Version: 2.2.3 ## ## Support: support@cqre.net ## ################################################## diff --git a/CHANGELOG.md b/CHANGELOG.md index 68700e6..44b0d2f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,14 @@ Starting with **v2.2.0**, Elysium uses a **unified project version**. All script --- +## [2.2.3] — 2026-06-09 + +### Fixed +- `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now correctly recognizes `GenericAll` and blanket `ExtendedRight` (empty ObjectType) ACEs as satisfying replication permission requirements. Previously, only exact GUID-matched ExtendedRight ACEs were detected, causing false negatives when rights were granted via broader permissions. +- Improved error diagnostics: the missing-rights message now indicates whether an ACE for the specific right exists on the domain object but is not assigned to the caller, versus no ACE existing at all. + +--- + ## [2.2.2] — 2026-06-09 ### Fixed diff --git a/Elysium.Common.ps1 b/Elysium.Common.ps1 index 9350fbb..e08300f 100644 --- a/Elysium.Common.ps1 +++ b/Elysium.Common.ps1 @@ -1,4 +1,4 @@ -$script:ElysiumVersion = '2.2.2' +$script:ElysiumVersion = '2.2.3' function Invoke-RestartWithExecutable { param( @@ -374,19 +374,34 @@ function Test-ReplicationPermissions { $missing = @() foreach ($rightName in $requiredRights.Keys) { - $guid = $requiredRights[$rightName] - $granted = $false + $guid = $requiredRights[$rightName] + $granted = $false + $aceExistsForGuid = $false foreach ($ace in $acl) { if ($ace.AccessControlType -ne [System.Security.AccessControl.AccessControlType]::Allow) { continue } - if (-not ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)) { continue } - if ($ace.ObjectType -ne $guid) { continue } + $rights = $ace.ActiveDirectoryRights + $hasExtended = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight) + $hasGenericAll = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::GenericAll) + # Match: exact GUID, OR ExtendedRight with empty ObjectType (all extended rights), OR GenericAll + $isMatch = $hasGenericAll ` + -or ($hasExtended -and $ace.ObjectType -eq [guid]::Empty) ` + -or ($hasExtended -and $ace.ObjectType -eq $guid) + if (-not $isMatch) { continue } + if ($ace.ObjectType -eq $guid) { $aceExistsForGuid = $true } if ($callerSids.Contains($ace.IdentityReference.Value)) { $granted = $true; break } } - if (-not $granted) { $missing += $rightName } + if (-not $granted) { + $hint = if ($aceExistsForGuid) { + ' (ACE exists on the domain object but is not assigned to this account or any of its groups)' + } else { + ' (no ACE found for this right on the domain object at all)' + } + $missing += $rightName + $hint + } } if ($missing.Count -gt 0) { - throw ("Account '{0}' is missing the following replication permissions on '{1}':`n - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f ` + throw ("Account '{0}' failed replication permission check on '{1}':`n - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f ` $Credential.UserName, $DomainDN, ($missing -join "`n - ")) } diff --git a/Elysium.ps1 b/Elysium.ps1 index 367e725..d4bb738 100644 --- a/Elysium.ps1 +++ b/Elysium.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Elysium.ps1 ## -## Version: 2.2.2 ## +## Version: 2.2.3 ## ## Support: support@cqre.net ## ################################################## diff --git a/ElysiumSettings.txt.sample b/ElysiumSettings.txt.sample index 17ea414..af462c0 100644 --- a/ElysiumSettings.txt.sample +++ b/ElysiumSettings.txt.sample @@ -8,7 +8,7 @@ ################################################## ## Project: Elysium ## ## File: ElysiumSettings.txt ## -## Version: 2.2.2 ## +## Version: 2.2.3 ## ## Support: support@cqre.net ## ################################################## diff --git a/Extract-NTHashes.ps1 b/Extract-NTHashes.ps1 index 27057d9..85522bc 100644 --- a/Extract-NTHashes.ps1 +++ b/Extract-NTHashes.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Extract-NTHashes.ps1 ## -## Version: 2.2.2 ## +## Version: 2.2.3 ## ## Support: support@cqre.net ## ################################################## diff --git a/Prepare-KHDBStorage.ps1 b/Prepare-KHDBStorage.ps1 index 8884010..3f62a19 100644 --- a/Prepare-KHDBStorage.ps1 +++ b/Prepare-KHDBStorage.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Prepare-KHDBStorage.ps1 ## -## Version: 2.2.2 ## +## Version: 2.2.3 ## ## Support: support@cqre.net ## ################################################## diff --git a/Test-WeakADPasswords.ps1 b/Test-WeakADPasswords.ps1 index ccda120..37e8f77 100644 --- a/Test-WeakADPasswords.ps1 +++ b/Test-WeakADPasswords.ps1 @@ -8,7 +8,7 @@ ################################################## ## Project: Elysium ## ## File: Test-WeakADPasswords.ps1 ## -## Version: 2.2.2 ## +## Version: 2.2.3 ## ## Support: support@cqre.net ## ################################################## diff --git a/Uninstall.ps1 b/Uninstall.ps1 index 74ba211..5b45a55 100644 --- a/Uninstall.ps1 +++ b/Uninstall.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Uninstall.ps1 ## -## Version: 2.2.2 ## +## Version: 2.2.3 ## ## Support: support@cqre.net ## ################################################## diff --git a/Update-KHDB.ps1 b/Update-KHDB.ps1 index 16eb3a2..6397b64 100644 --- a/Update-KHDB.ps1 +++ b/Update-KHDB.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Update-KHDB.ps1 ## -## Version: 2.2.2 ## +## Version: 2.2.3 ## ## Support: support@cqre.net ## ################################################## diff --git a/Update-LithnetStore.ps1 b/Update-LithnetStore.ps1 index e9bb714..528cdb4 100644 --- a/Update-LithnetStore.ps1 +++ b/Update-LithnetStore.ps1 @@ -7,7 +7,7 @@ ################################################## ## Project: Elysium ## ## File: Update-LithnetStore.ps1 ## -## Version: 2.2.2 ## +## Version: 2.2.3 ## ## Support: support@cqre.net ## ##################################################