Release v2.2.3: improve replication permission detection

Test-ReplicationPermissions now recognizes:
- GenericAll as satisfying replication rights
- Blanket ExtendedRight (empty ObjectType) ACEs

Also adds diagnostic hints distinguishing between
'missing ACE entirely' and 'ACE exists but not for you'.

All versions bumped to unified v2.2.3.

Bump-Version.ps1

@@ -0,0 +1,161 @@
+##################################################
+##   ____ ___  ____  _____   _   _ _____ _____  ##
+##  / ___/ _ \|  _ \| ____| | \ | | ____|_   _| ##
+## | |  | | | | |_) |  _|   |  \| |  _|   | |   ##
+## | |__| |_| |  _ <| |___ _| |\  | |___  | |   ##
+##  \____\__\_\_| \_\_____(_)_| \_|_____| |_|   ##
+##          Move fast and fix things.           ##
+##################################################
+## Project: Elysium                             ##
+## File: Bump-Version.ps1                       ##
+## Version: 2.2.3                               ##
+## Support: support@cqre.net                    ##
+##################################################
+
+#Requires -Version 5.1
+$ErrorActionPreference = 'Stop'
+Set-StrictMode -Version Latest
+
+<#
+.SYNOPSIS
+    Bumps the unified Elysium version across all project files.
+
+.DESCRIPTION
+    Updates the centralized $ElysiumVersion variable, ASCII headers in all
+    operational scripts, the settings template, and runtime references
+    (User-Agent, usage beacon, etc.). Optionally stubs a new CHANGELOG entry.
+
+.PARAMETER NewVersion
+    The new version string to apply (e.g. 2.2.2).
+
+.PARAMETER SkipChangelog
+    Do not print a CHANGELOG entry stub.
+
+.EXAMPLE
+    .\Bump-Version.ps1 -NewVersion 2.2.2
+#>
+param(
+    [Parameter(Mandatory = $true)]
+    [string]$NewVersion,
+
+    [switch]$SkipChangelog
+)
+
+$scriptRoot = $PSScriptRoot
+if (-not $scriptRoot) { $scriptRoot = (Get-Location).Path }
+
+# ---------------------------------------------------------------------------
+# Validate input
+# ---------------------------------------------------------------------------
+if ($NewVersion -notmatch '^\d+\.\d+\.\d+$') {
+    throw "Version must be in semantic format X.Y.Z (e.g. 2.2.2). Got: '$NewVersion'"
+}
+
+# ---------------------------------------------------------------------------
+# Determine current version from Elysium.Common.ps1
+# ---------------------------------------------------------------------------
+$commonPath = Join-Path -Path $scriptRoot -ChildPath 'Elysium.Common.ps1'
+if (-not (Test-Path -LiteralPath $commonPath)) {
+    throw "Elysium.Common.ps1 not found at $commonPath"
+}
+
+$commonContent = Get-Content -LiteralPath $commonPath -Raw
+$currentVersionMatch = [regex]::Match($commonContent, "\`$script:ElysiumVersion\s*=\s*'([^']+)'")
+if (-not $currentVersionMatch.Success) {
+    throw "Could not determine current version from Elysium.Common.ps1"
+}
+$oldVersion = $currentVersionMatch.Groups[1].Value
+
+if ($oldVersion -eq $NewVersion) {
+    Write-Warning "Current version is already $NewVersion. Nothing to do."
+    return
+}
+
+Write-Host "Bumping Elysium from $oldVersion -> $NewVersion"
+
+# ---------------------------------------------------------------------------
+# Helper: replace in file
+# ---------------------------------------------------------------------------
+function Edit-FileVersion {
+    param(
+        [string]$Path,
+        [string]$Old,
+        [string]$New
+    )
+    $content = Get-Content -LiteralPath $Path -Raw
+    $newContent = $content.Replace($Old, $New)
+    if ($newContent -eq $content) {
+        Write-Verbose "  No changes in $(Split-Path -Leaf $Path)"
+    } else {
+        Set-Content -LiteralPath $Path -Value $newContent -NoNewline -Encoding UTF8
+        Write-Host "  Updated $(Split-Path -Leaf $Path)"
+    }
+}
+
+# ---------------------------------------------------------------------------
+# 1. Central version variable
+# ---------------------------------------------------------------------------
+Write-Host "`n[1/4] Updating centralized version variable..."
+Edit-FileVersion -Path $commonPath -Old "`$script:ElysiumVersion = '$oldVersion'" -New "`$script:ElysiumVersion = '$NewVersion'"
+
+# ---------------------------------------------------------------------------
+# 2. ASCII headers in scripts and templates
+# ---------------------------------------------------------------------------
+Write-Host "`n[2/4] Updating script headers..."
+$headerTargets = Get-ChildItem -Path $scriptRoot -File | Where-Object {
+    $_.Extension -in @('.ps1', '.py') -or $_.Name -eq 'ElysiumSettings.txt.sample'
+}
+foreach ($file in $headerTargets) {
+    $content = Get-Content -LiteralPath $file.FullName -Raw
+    # The header pattern: ## Version: X.Y.Z                               ##
+    $pattern = "## Version:\s+$([regex]::Escape($oldVersion))\s+##"
+    $replacement = "## Version: $NewVersion                               ##"
+    $newContent = [regex]::Replace($content, $pattern, $replacement)
+    if ($newContent -ne $content) {
+        Set-Content -LiteralPath $file.FullName -Value $newContent -NoNewline -Encoding UTF8
+        Write-Host "  Updated $($file.Name)"
+    }
+}
+
+# ---------------------------------------------------------------------------
+# 3. Runtime references (safety net)
+# ---------------------------------------------------------------------------
+Write-Host "`n[3/4] Updating runtime version references..."
+$runtimeTargets = Get-ChildItem -Path $scriptRoot -Filter '*.ps1' -File
+foreach ($file in $runtimeTargets) {
+    $content = Get-Content -LiteralPath $file.FullName -Raw
+    $newContent = $content
+    # User-Agent patterns: 'Elysium/2.2.1 (+...)' or "Elysium/2.2.1 (+...)"
+    $newContent = [regex]::Replace($newContent,
+        "Elysium/$([regex]::Escape($oldVersion))",
+        "Elysium/$NewVersion")
+    # Literal string assignments: version = '2.2.1'
+    $newContent = [regex]::Replace($newContent,
+        "version\s*=\s*'$([regex]::Escape($oldVersion))'",
+        "version  = '$NewVersion'")
+    if ($newContent -ne $content) {
+        Set-Content -LiteralPath $file.FullName -Value $newContent -NoNewline -Encoding UTF8
+        Write-Host "  Updated runtime refs in $($file.Name)"
+    }
+}
+
+# ---------------------------------------------------------------------------
+# 4. CHANGELOG stub
+# ---------------------------------------------------------------------------
+if (-not $SkipChangelog) {
+    Write-Host "`n[4/4] CHANGELOG entry stub (copy-paste ready):"
+    $today = (Get-Date).ToString('yyyy-MM-dd')
+    $stub = @"
+
+---
+
+## [$NewVersion] — $today
+
+### Changed
+- (describe your change here)
+"@
+    Write-Host $stub
+    Write-Host "`nAppend the above to CHANGELOG.md, then commit and tag."
+}
+
+Write-Host "`nDone. Review the changes with: git diff --stat"

CHANGELOG.md

@@ -6,6 +6,21 @@ Starting with **v2.2.0**, Elysium uses a **unified project version**. All script
 
 ---
 
+## [2.2.3] — 2026-06-09
+
+### Fixed
+- `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now correctly recognizes `GenericAll` and blanket `ExtendedRight` (empty ObjectType) ACEs as satisfying replication permission requirements. Previously, only exact GUID-matched ExtendedRight ACEs were detected, causing false negatives when rights were granted via broader permissions.
+- Improved error diagnostics: the missing-rights message now indicates whether an ACE for the specific right exists on the domain object but is not assigned to the caller, versus no ACE existing at all.
+
+---
+
+## [2.2.2] — 2026-06-09
+
+### Fixed
+- `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now resolves the caller's **effective token SIDs** via the `tokenGroups` constructed attribute instead of walking `MemberOf` directly. This correctly accounts for nested group memberships and avoids false-positive "missing permissions" errors when the account is entitled through nested groups.
+
+---
+
 ## [2.2.1] — 2026-06-09
 
 ### Changed

Elysium.Common.ps1

@@ -1,3 +1,5 @@
+$script:ElysiumVersion = '2.2.3'
+
 function Invoke-RestartWithExecutable {
     param(
         [string]$ExecutablePath,
@@ -336,14 +338,20 @@ function Test-ReplicationPermissions {
     try {
         $samName = $Credential.UserName -replace '^.*\\', ''
         $adUser = Get-ADUser -Identity $samName -Server $Server -Credential $Credential `
-            -Properties SID, MemberOf -ErrorAction Stop
+            -Properties SID, DistinguishedName -ErrorAction Stop
         [void]$callerSids.Add($adUser.SID.Value)
-        foreach ($groupDN in @($adUser.MemberOf)) {
+
-            try {
+        # tokenGroups is a constructed attribute containing all SIDs in the user's token,
-                $g = Get-ADGroup -Identity $groupDN -Server $Server -Credential $Credential `
+        # including nested group memberships — more reliable than walking MemberOf recursively
-                    -Properties SID -ErrorAction Stop
+        $userDe = New-Object System.DirectoryServices.DirectoryEntry(
-                [void]$callerSids.Add($g.SID.Value)
+            "LDAP://$Server/$($adUser.DistinguishedName)",
-            } catch { }
+            $Credential.UserName,
+            $Credential.GetNetworkCredential().Password
+        )
+        $userDe.RefreshCache(@('tokenGroups'))
+        foreach ($sidBytes in $userDe.Properties['tokenGroups']) {
+            $sid = New-Object System.Security.Principal.SecurityIdentifier($sidBytes, 0)
+            [void]$callerSids.Add($sid.Value)
         }
     } catch {
         Write-Warning ("Could not resolve account SIDs for replication permission pre-check: {0}. Skipping." -f $_.Exception.Message)
@@ -368,17 +376,32 @@ function Test-ReplicationPermissions {
     foreach ($rightName in $requiredRights.Keys) {
         $guid             = $requiredRights[$rightName]
         $granted          = $false
+        $aceExistsForGuid = $false
         foreach ($ace in $acl) {
             if ($ace.AccessControlType -ne [System.Security.AccessControl.AccessControlType]::Allow) { continue }
-            if (-not ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)) { continue }
+            $rights        = $ace.ActiveDirectoryRights
-            if ($ace.ObjectType -ne $guid) { continue }
+            $hasExtended   = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)
+            $hasGenericAll = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::GenericAll)
+            # Match: exact GUID, OR ExtendedRight with empty ObjectType (all extended rights), OR GenericAll
+            $isMatch = $hasGenericAll `
+                -or ($hasExtended -and $ace.ObjectType -eq [guid]::Empty) `
+                -or ($hasExtended -and $ace.ObjectType -eq $guid)
+            if (-not $isMatch) { continue }
+            if ($ace.ObjectType -eq $guid) { $aceExistsForGuid = $true }
             if ($callerSids.Contains($ace.IdentityReference.Value)) { $granted = $true; break }
         }
-        if (-not $granted) { $missing += $rightName }
+        if (-not $granted) {
+            $hint = if ($aceExistsForGuid) {
+                ' (ACE exists on the domain object but is not assigned to this account or any of its groups)'
+            } else {
+                ' (no ACE found for this right on the domain object at all)'
+            }
+            $missing += $rightName + $hint
+        }
     }
 
     if ($missing.Count -gt 0) {
-        throw ("Account '{0}' is missing the following replication permissions on '{1}':`n  - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f `
+        throw ("Account '{0}' failed replication permission check on '{1}':`n  - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f `
             $Credential.UserName, $DomainDN, ($missing -join "`n  - "))
     }
 

Elysium.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Elysium.ps1                            ##
-## Version: 2.2.1                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

ElysiumSettings.txt.sample

@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: ElysiumSettings.txt                    ##
-## Version: 2.2.1                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

Extract-NTHashes.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Extract-NTHashes.ps1                   ##
-## Version: 2.2.1                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

Prepare-KHDBStorage.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Prepare-KHDBStorage.ps1                ##
-## Version: 2.2.1                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

Test-WeakADPasswords.ps1

@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Test-WeakADPasswords.ps1               ##
-## Version: 2.2.1                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
@@ -95,7 +95,7 @@ function Invoke-UsageBeacon {
     if ($normalizedMethod -in @('POST', 'PUT')) {
         $payload = [ordered]@{
             script   = 'Test-WeakADPasswords'
-            version  = '2.2.1'
+            version  = $ElysiumVersion
             ranAtUtc = (Get-Date).ToUniversalTime().ToString('o')
         }
         if (-not [string]::IsNullOrWhiteSpace($InstanceId)) {

Uninstall.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Uninstall.ps1                          ##
-## Version: 2.2.1                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

Update-KHDB.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Update-KHDB.ps1                        ##
-## Version: 2.2.1                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 
@@ -61,7 +61,7 @@ function New-HttpClient {
     Add-Type -AssemblyName System.Net.Http -ErrorAction SilentlyContinue
     $client = [System.Net.Http.HttpClient]::new()
     $client.Timeout = [TimeSpan]::FromSeconds(600)
-    $client.DefaultRequestHeaders.UserAgent.ParseAdd('Elysium/2.2.1 (+Update-KHDB)')
+    $client.DefaultRequestHeaders.UserAgent.ParseAdd("Elysium/$ElysiumVersion (+Update-KHDB)")
     return $client
 }
 

Update-LithnetStore.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Update-LithnetStore.ps1                ##
-## Version: 2.2.1                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################