DSInternals 7.0 fetches the AD schema via DRS (GetNCChanges) before
replicating accounts, so the schema NC has its own ACL requirement.
- Test-ReplicationPermissions now validates rights on both the
domain NC and the configuration NC (schema NC inherits from it).
- Updated README with dsacls delegation examples and dual-NC
least-privilege requirements.
- Improved 'Replication access was denied' error message to name
both NCs and explain the DSInternals 7.0 change.
- Diagnostic dump now includes SchemaDN.
All versions bumped to unified v2.4.4.
Test-ReplicationPermissions:
- Replaced DirectoryEntry.RefreshCache tokenGroups retrieval with
Get-ADUser -Properties tokenGroups. DirectoryEntry does not
understand URI percent-encoding, so the v2.4.1 EscapeDataString
fix caused 'invalid dn syntax' errors.
- Removed EscapeDataString from the ACL DirectoryEntry path as
well; DirectoryEntry expects raw LDAP ADSI path syntax.
All versions bumped to unified v2.4.3.
UTF-8 em-dashes (U+2014) in Elysium.Common.ps1 string literals were
being misinterpreted by Windows PowerShell as containing quote
characters when the file was read without a UTF-8 BOM. This caused
cascading parse errors: unexpected tokens, missing closing braces,
and missing catch blocks.
All em-dashes in .ps1 files have been replaced with ASCII hyphens.
All versions bumped to unified v2.4.2.
Test-ReplicationPermissions and Test-DCClockSkew now escape
Distinguished Names via [System.Uri]::EscapeDataString before
constructing DirectoryEntry LDAP URLs. This prevents URL
mis-parsing when DNs contain /, #, or other reserved characters.
All versions bumped to unified v2.4.1.
Added pre-flight diagnostics:
- Test-DCClockSkew: validates local/DC clock skew before DCSync to
catch Kerberos auth failures early.
- Test-ReplicationPermissions now warns on adminCount=1 (SDProp
protected) and Protected Users group membership (RID 525), both
of which can silently block or revert replication rights.
Fixed DSInternals update flow:
- Replaced Update-Module with Install-Module -Force -AllowClobber
to work around a PowerShellGet null PublishedDate bug.
All versions bumped to unified v2.4.0.
Test-WeakADPasswords.ps1 now validates the installed DSInternals
version at startup:
- v6.2 (unsigned) warns that native DLLs are blocked and replication
will fail; directs operator to Update-Module DSInternals.
- Below v7.0 prompts to auto-update via Update-Module -Force and
exits cleanly so the new version is loaded on re-run.
- v7.0+ passes silently.
All versions bumped to unified v2.3.0.
The Zone.Identifier block detection now dynamically resolves the
actual DSInternals module installation path via Get-Module instead
of hardcoding a ProgramFiles path, so the Unblock-File command in
the error message is always correct.
All versions bumped to unified v2.2.5.
Test-ReplicationPermissions:
- Skip InheritOnly ACEs since they do not apply to the domain root
object itself, only to child objects.
Test-WeakADPasswords:
- Detect Windows Zone.Identifier blocks on DSInternals DLLs and
emit a clear error with the exact Unblock-File remediation
command instead of a vague warning.
All versions bumped to unified v2.2.4.
Test-ReplicationPermissions now recognizes:
- GenericAll as satisfying replication rights
- Blanket ExtendedRight (empty ObjectType) ACEs
Also adds diagnostic hints distinguishing between
'missing ACE entirely' and 'ACE exists but not for you'.
All versions bumped to unified v2.2.3.
Test-ReplicationPermissions now uses the tokenGroups constructed
attribute to resolve all effective SIDs in the caller's Kerberos
token, including nested group memberships. This replaces the
previous MemberOf walk which missed indirect entitlement and
could produce false-positive missing-permission errors.
All versions bumped to unified v2.2.2.
- Add to Elysium.Common.ps1 as the single
runtime source of truth for version strings.
- Update Update-KHDB.ps1 User-Agent to reference .
- Update Test-WeakADPasswords.ps1 usage beacon payload to reference
.
- Add Bump-Version.ps1 release helper that updates the centralized
variable, ASCII headers across .ps1/.py files, runtime references,
and prints a CHANGELOG stub.
Consolidated duplicated helpers into Elysium.Common.ps1:
- Settings parsing (Read-KeyValueSettingsFile, Read-ElysiumSettings, Get-SettingsValue)
- Azure Blob URI builder (Build-BlobUri)
- S3 SigV4 signing helpers and AWS module bootstrap
- AD credential validation and replication permission pre-check
- Parallel execution helper (Get-FunctionDefinitionText)
Test-WeakADPasswords.ps1 and Extract-NTHashes.ps1 now import
Elysium.Common.ps1 for the first time. Update-KHDB.ps1 and
Prepare-KHDBStorage.ps1 removed their local duplicates.
Deleted legacy Settings.ps1 (superseded by ElysiumSettings.txt).
Removed stray placeholder comment in Elysium.ps1.
All versions bumped to unified v2.2.1.
- Unified project versioning (v2.2.0) across all scripts, settings template,
and documentation. All components now share a single version number.
- Added Test-ReplicationPermissions to Test-WeakADPasswords.ps1 to validate
the three required AD replication extended rights before DCSync, providing
clear fail-fast errors when permissions are missing.
- Updated CHANGELOG.md with unified versioning strategy and release history.
- Updated README.md with versioning section and improved troubleshooting docs.
tomas.kracmar