cqrenet/elysium
4
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Release v2.4.3: fix tokenGroups retrieval and DirectoryEntry LDAP paths

Browse Source 
Test-ReplicationPermissions:
- Replaced DirectoryEntry.RefreshCache tokenGroups retrieval with
  Get-ADUser -Properties tokenGroups. DirectoryEntry does not
  understand URI percent-encoding, so the v2.4.1 EscapeDataString
  fix caused 'invalid dn syntax' errors.
- Removed EscapeDataString from the ACL DirectoryEntry path as
  well; DirectoryEntry expects raw LDAP ADSI path syntax.

All versions bumped to unified v2.4.3.
This commit is contained in:
Tomas Kracmar
2026-06-09 14:14:45 +02:00
parent 03aa72f999
commit af945f529e
11 changed files with 23 additions and 19 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Elysium.Common.ps1
+6 -10
View File
@@ -1,4 +1,4 @@
$script:ElysiumVersion = '2.4.2'
$script:ElysiumVersion = '2.4.3'
function Invoke-RestartWithExecutable {
param(
@@ -343,14 +343,10 @@ function Test-ReplicationPermissions {
# tokenGroups is a constructed attribute containing all SIDs in the user's token,
# including nested group memberships - more reliable than walking MemberOf recursively
$userDe = New-Object System.DirectoryServices.DirectoryEntry(
"LDAP://$Server/$([System.Uri]::EscapeDataString($adUser.DistinguishedName))",
$Credential.UserName,
$Credential.GetNetworkCredential().Password
)
$userDe.RefreshCache(@('tokenGroups'))
foreach ($sidBytes in $userDe.Properties['tokenGroups']) {
$sid = New-Object System.Security.Principal.SecurityIdentifier($sidBytes, 0)
$adUserWithTokenGroups = Get-ADUser -Identity $samName -Server $Server -Credential $Credential `
-Properties tokenGroups -ErrorAction Stop
foreach ($sidBytes in $adUserWithTokenGroups.tokenGroups) {
$sid = New-Object System.Security.Principal.SecurityIdentifier(@([byte[]]$sidBytes), 0)
[void]$callerSids.Add($sid.Value)
}
@@ -374,7 +370,7 @@ function Test-ReplicationPermissions {
$acl = $null
try {
$de = New-Object System.DirectoryServices.DirectoryEntry(
"LDAP://$Server/$([System.Uri]::EscapeDataString($DomainDN))",
"LDAP://$Server/$DomainDN",
$Credential.UserName,
$Credential.GetNetworkCredential().Password
)