Release v2.2.3: improve replication permission detection

Test-ReplicationPermissions now recognizes:
- GenericAll as satisfying replication rights
- Blanket ExtendedRight (empty ObjectType) ACEs

Also adds diagnostic hints distinguishing between
'missing ACE entirely' and 'ACE exists but not for you'.

All versions bumped to unified v2.2.3.

Bump-Version.ps1

@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Bump-Version.ps1                       ##
-## Version: 2.2.2                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

CHANGELOG.md

@@ -6,6 +6,14 @@ Starting with **v2.2.0**, Elysium uses a **unified project version**. All script
 
 ---
 
+## [2.2.3] — 2026-06-09
+
+### Fixed
+- `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now correctly recognizes `GenericAll` and blanket `ExtendedRight` (empty ObjectType) ACEs as satisfying replication permission requirements. Previously, only exact GUID-matched ExtendedRight ACEs were detected, causing false negatives when rights were granted via broader permissions.
+- Improved error diagnostics: the missing-rights message now indicates whether an ACE for the specific right exists on the domain object but is not assigned to the caller, versus no ACE existing at all.
+
+---
+
 ## [2.2.2] — 2026-06-09
 
 ### Fixed

Elysium.Common.ps1

@@ -1,4 +1,4 @@
-$script:ElysiumVersion = '2.2.2'
+$script:ElysiumVersion = '2.2.3'
 
 function Invoke-RestartWithExecutable {
     param(
@@ -376,17 +376,32 @@ function Test-ReplicationPermissions {
     foreach ($rightName in $requiredRights.Keys) {
         $guid             = $requiredRights[$rightName]
         $granted          = $false
+        $aceExistsForGuid = $false
         foreach ($ace in $acl) {
             if ($ace.AccessControlType -ne [System.Security.AccessControl.AccessControlType]::Allow) { continue }
-            if (-not ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)) { continue }
+            $rights        = $ace.ActiveDirectoryRights
-            if ($ace.ObjectType -ne $guid) { continue }
+            $hasExtended   = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)
+            $hasGenericAll = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::GenericAll)
+            # Match: exact GUID, OR ExtendedRight with empty ObjectType (all extended rights), OR GenericAll
+            $isMatch = $hasGenericAll `
+                -or ($hasExtended -and $ace.ObjectType -eq [guid]::Empty) `
+                -or ($hasExtended -and $ace.ObjectType -eq $guid)
+            if (-not $isMatch) { continue }
+            if ($ace.ObjectType -eq $guid) { $aceExistsForGuid = $true }
             if ($callerSids.Contains($ace.IdentityReference.Value)) { $granted = $true; break }
         }
-        if (-not $granted) { $missing += $rightName }
+        if (-not $granted) {
+            $hint = if ($aceExistsForGuid) {
+                ' (ACE exists on the domain object but is not assigned to this account or any of its groups)'
+            } else {
+                ' (no ACE found for this right on the domain object at all)'
+            }
+            $missing += $rightName + $hint
+        }
     }
 
     if ($missing.Count -gt 0) {
-        throw ("Account '{0}' is missing the following replication permissions on '{1}':`n  - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f `
+        throw ("Account '{0}' failed replication permission check on '{1}':`n  - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f `
             $Credential.UserName, $DomainDN, ($missing -join "`n  - "))
     }
 

Elysium.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Elysium.ps1                            ##
-## Version: 2.2.2                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

ElysiumSettings.txt.sample

@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: ElysiumSettings.txt                    ##
-## Version: 2.2.2                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

Extract-NTHashes.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Extract-NTHashes.ps1                   ##
-## Version: 2.2.2                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

Prepare-KHDBStorage.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Prepare-KHDBStorage.ps1                ##
-## Version: 2.2.2                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

Test-WeakADPasswords.ps1

@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Test-WeakADPasswords.ps1               ##
-## Version: 2.2.2                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

Uninstall.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Uninstall.ps1                          ##
-## Version: 2.2.2                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

Update-KHDB.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Update-KHDB.ps1                        ##
-## Version: 2.2.2                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
 

Update-LithnetStore.ps1

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Update-LithnetStore.ps1                ##
-## Version: 2.2.2                               ##
+## Version: 2.2.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################