Release v2.4.3: fix tokenGroups retrieval and DirectoryEntry LDAP paths

Test-ReplicationPermissions: - Replaced DirectoryEntry.RefreshCache tokenGroups retrieval with Get-ADUser -Properties tokenGroups. DirectoryEntry does not understand URI percent-encoding, so the v2.4.1 EscapeDataString fix caused 'invalid dn syntax' errors. - Removed EscapeDataString from the ACL DirectoryEntry path as well; DirectoryEntry expects raw LDAP ADSI path syntax. All versions bumped to unified v2.4.3.
Release v2.4.2: replace em-dashes with ASCII hyphens to fix encoding parse errors
2026-06-09 14:14:45 +02:00 · 2026-06-09 13:51:13 +02:00 · 2026-06-09 13:42:34 +02:00 · 2026-06-09 13:32:21 +02:00 · 2026-06-09 13:16:47 +02:00 · 2026-06-09 13:10:36 +02:00
11 changed files with 181 additions and 29 deletions
@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Bump-Version.ps1                       ##
-## Version: 2.2.2                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
@@ -149,7 +149,7 @@ if (-not $SkipChangelog) {
 ---
-## [$NewVersion] — $today
+## [$NewVersion] - $today
 ### Changed
 - (describe your change here)
@@ -6,6 +6,73 @@ Starting with **v2.2.0**, Elysium uses a **unified project version**. All script
 ---
 ## [2.4.3] — 2026-06-09
 ### Fixed
 - Replaced the `DirectoryEntry` + `RefreshCache` tokenGroups retrieval in `Test-ReplicationPermissions` with `Get-ADUser -Properties tokenGroups`. The previous `DirectoryEntry` approach was broken by the v2.4.1 URI-escaping "fix" (`EscapeDataString` produces percent-encoded paths that ADSI `DirectoryEntry` cannot parse, causing "invalid dn syntax" errors).
 - Removed `EscapeDataString` from the ACL-reading `DirectoryEntry` path in `Test-ReplicationPermissions` as well, since `DirectoryEntry` expects raw LDAP path syntax, not URI encoding.
 ---
 ## [2.4.2] — 2026-06-09
 ### Fixed
 - Replaced UTF-8 em-dashes (`\u2014`) in `Elysium.Common.ps1` and `Bump-Version.ps1` with ASCII hyphens. On Windows PowerShell without a UTF-8 BOM, the three-byte em-dash sequence was misinterpreted as containing a quote character, causing cascading parse errors (unexpected token, missing closing `)`/`}`/`catch`, etc.).
 ---
 ## [2.4.1] — 2026-06-09
 ### Fixed
 - `Test-ReplicationPermissions` and `Test-DCClockSkew` now URI-escape Distinguished Names via `[System.Uri]::EscapeDataString` before embedding them in `DirectoryEntry` LDAP URLs. DNs containing `/`, `#`, or other reserved characters previously caused URL mis-parsing and constructor failures.
 ---
 ## [2.4.0] — 2026-06-09
 ### Added
 - **DC clock skew pre-flight check** (`Test-DCClockSkew` in `Elysium.Common.ps1`): compares the local machine clock against the target DC's `RootDSE.currentTime` before attempting DCSync. Warns if skew exceeds 300s (Kerberos hard limit) or 60s (approaching limit), and provides the `w32tm /resync /force` remediation command.
 - **SDProp protection warning** in `Test-ReplicationPermissions`: detects `adminCount=1` on the service account and warns that SDProp runs every 60 minutes and may silently revert replication rights or group memberships.
 - **Protected Users group warning** in `Test-ReplicationPermissions`: detects membership in the Protected Users group (RID 525) and warns that it restricts Kerberos delegation and RC4 authentication required by DSInternals for DRS replication.
 ### Fixed
 - DSInternals auto-update flow now uses `Install-Module -Force -AllowClobber` instead of `Update-Module` to avoid a PowerShellGet bug where null `PublishedDate` metadata causes "cannot convert null to type system.datetime".
 ---
 ## [2.3.0] — 2026-06-09
 ### Added
 - `Test-WeakADPasswords.ps1` now checks the installed DSInternals version at startup:
  - **v6.2** (unsigned) is flagged with a warning explaining that unsigned native DLLs are blocked and replication will fail. Remediation: `Update-Module DSInternals`.
  - **Below v7.0** triggers an interactive prompt offering to run `Update-Module DSInternals -Force` automatically. If accepted, the script updates the module and exits cleanly so the operator can re-run with the new version loaded.
  - v7.0+ is required because it fixes intermittent CRC errors mid-replication and `Test-PasswordQuality` result truncation bugs.
 ---
 ## [2.2.5] — 2026-06-09
 ### Fixed
 - The DSInternals `Zone.Identifier` block error message (added in v2.2.4) now dynamically resolves the actual DSInternals module path via `Get-Module` instead of hardcoding `$env:ProgramFiles\WindowsPowerShell\DSInternals`. The `Unblock-File` command in the error now points to the correct installation directory.
 ---
 ## [2.2.4] — 2026-06-09
 ### Fixed
 - `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now skips `InheritOnly` ACEs when evaluating replication rights. An ACE marked `InheritOnly` applies only to child objects, not the domain root itself, so it does not grant the required extended rights for DCSync on the domain object.
 - `Import-CompatModule` (in `Test-WeakADPasswords.ps1`) now detects DSInternals being blocked by Windows `Zone.Identifier` (alternate data stream from internet download) and throws a clear, actionable error with the exact `Unblock-File` command to run. Previously this surfaced as an opaque non-FIPS warning.
 ---
 ## [2.2.3] — 2026-06-09
 ### Fixed
 - `Test-ReplicationPermissions` (in `Elysium.Common.ps1`) now correctly recognizes `GenericAll` and blanket `ExtendedRight` (empty ObjectType) ACEs as satisfying replication permission requirements. Previously, only exact GUID-matched ExtendedRight ACEs were detected, causing false negatives when rights were granted via broader permissions.
 - Improved error diagnostics: the missing-rights message now indicates whether an ACE for the specific right exists on the domain object but is not assigned to the caller, versus no ACE existing at all.
 ---
 ## [2.2.2] — 2026-06-09
 ### Fixed
@@ -1,4 +1,4 @@
-$script:ElysiumVersion = '2.2.2'
+$script:ElysiumVersion = '2.4.3'
 function Invoke-RestartWithExecutable {
    param(
@@ -338,21 +338,30 @@ function Test-ReplicationPermissions {
    try {
        $samName = $Credential.UserName -replace '^.*\\', ''
        $adUser = Get-ADUser -Identity $samName -Server $Server -Credential $Credential `
-            -Properties SID, DistinguishedName -ErrorAction Stop
+            -Properties SID, DistinguishedName, adminCount -ErrorAction Stop
        [void]$callerSids.Add($adUser.SID.Value)
        # tokenGroups is a constructed attribute containing all SIDs in the user's token,
-        # including nested group memberships — more reliable than walking MemberOf recursively
+        # including nested group memberships - more reliable than walking MemberOf recursively
-        $userDe = New-Object System.DirectoryServices.DirectoryEntry(
+        $adUserWithTokenGroups = Get-ADUser -Identity $samName -Server $Server -Credential $Credential `
-            "LDAP://$Server/$($adUser.DistinguishedName)",
+            -Properties tokenGroups -ErrorAction Stop
-            $Credential.UserName,
+        foreach ($sidBytes in $adUserWithTokenGroups.tokenGroups) {
-            $Credential.GetNetworkCredential().Password
+            $sid = New-Object System.Security.Principal.SecurityIdentifier(@([byte[]]$sidBytes), 0)
        )
        $userDe.RefreshCache(@('tokenGroups'))
        foreach ($sidBytes in $userDe.Properties['tokenGroups']) {
            $sid = New-Object System.Security.Principal.SecurityIdentifier($sidBytes, 0)
            [void]$callerSids.Add($sid.Value)
        }
        # adminCount=1 means SDProp is managing this account; it runs every 60 min and can
        # silently revert replication rights or group memberships granted to the account
        if ($adUser.adminCount -eq 1) {
            Write-Warning ("Account '{0}' has adminCount=1 (SDProp-protected). It is or was a member of a privileged group. SDProp runs every 60 minutes and may silently revert replication rights or group memberships on this account." -f $Credential.UserName)
        }
        # Protected Users group (RID 525) blocks the Kerberos mechanisms DSInternals uses for DRS
        $domainSidStr = $adUser.SID.Value.Substring(0, $adUser.SID.Value.LastIndexOf('-'))
        $protectedUsersSid = "$domainSidStr-525"
        if ($callerSids.Contains($protectedUsersSid)) {
            Write-Warning ("Account '{0}' is a member of Protected Users. This group restricts Kerberos delegation and RC4 authentication that DSInternals requires for DRS replication - access will be denied regardless of assigned rights." -f $Credential.UserName)
        }
    } catch {
        Write-Warning ("Could not resolve account SIDs for replication permission pre-check: {0}. Skipping." -f $_.Exception.Message)
        return
@@ -376,19 +385,65 @@ function Test-ReplicationPermissions {
    foreach ($rightName in $requiredRights.Keys) {
        $guid             = $requiredRights[$rightName]
        $granted          = $false
        $aceExistsForGuid = $false
        foreach ($ace in $acl) {
            if ($ace.AccessControlType -ne [System.Security.AccessControl.AccessControlType]::Allow) { continue }
-            if (-not ($ace.ActiveDirectoryRights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)) { continue }
+            # InheritOnly ACEs apply to child objects only - the domain root itself is not covered
-            if ($ace.ObjectType -ne $guid) { continue }
+            if ([bool]($ace.PropagationFlags -band [System.Security.AccessControl.PropagationFlags]::InheritOnly)) { continue }
            $rights        = $ace.ActiveDirectoryRights
            $hasExtended   = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)
            $hasGenericAll = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::GenericAll)
            # Match: exact GUID, OR ExtendedRight with empty ObjectType (all extended rights), OR GenericAll
            $isMatch = $hasGenericAll `
                -or ($hasExtended -and $ace.ObjectType -eq [guid]::Empty) `
                -or ($hasExtended -and $ace.ObjectType -eq $guid)
            if (-not $isMatch) { continue }
            if ($ace.ObjectType -eq $guid) { $aceExistsForGuid = $true }
            if ($callerSids.Contains($ace.IdentityReference.Value)) { $granted = $true; break }
        }
-        if (-not $granted) { $missing += $rightName }
+        if (-not $granted) {
            $hint = if ($aceExistsForGuid) {
                ' (ACE exists on the domain object but is not assigned to this account or any of its groups)'
            } else {
                ' (no ACE found for this right on the domain object at all)'
            }
            $missing += $rightName + $hint
        }
    }
    if ($missing.Count -gt 0) {
-        throw ("Account '{0}' is missing the following replication permissions on '{1}':`n  - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f `
+        throw ("Account '{0}' failed replication permission check on '{1}':`n  - {2}`n`nGrant these extended rights on the domain object to allow DCSync-based hash retrieval." -f `
            $Credential.UserName, $DomainDN, ($missing -join "`n  - "))
    }
    Write-Host ("[+] Replication permissions verified for '{0}'." -f $Credential.UserName)
 }
 function Test-DCClockSkew {
    param(
        [Parameter(Mandatory)][string]$Server,
        [Parameter(Mandatory)][System.Management.Automation.PSCredential]$Credential
    )
    try {
        $rootDse = New-Object System.DirectoryServices.DirectoryEntry(
            "LDAP://$Server/RootDSE",
            $Credential.UserName,
            $Credential.GetNetworkCredential().Password
        )
        $dcTimeStr = $rootDse.Properties['currentTime'][0]
        $dcTime = [datetime]::ParseExact(
            $dcTimeStr, 'yyyyMMddHHmmss.0Z',
            [System.Globalization.CultureInfo]::InvariantCulture,
            [System.Globalization.DateTimeStyles]::AssumeUniversal).ToUniversalTime()
        $skewSeconds = [Math]::Abs(([datetime]::UtcNow - $dcTime).TotalSeconds)
        if ($skewSeconds -gt 300) {
            Write-Warning ("Clock skew of {0:N0}s with '{1}' exceeds Kerberos limit of 300s - authentication will fail. Sync the clock: w32tm /resync /force" -f $skewSeconds, $Server)
        } elseif ($skewSeconds -gt 60) {
            Write-Warning ("Clock skew of {0:N0}s detected with '{1}'. Kerberos allows up to 300s - approaching the limit." -f $skewSeconds, $Server)
        } else {
            Write-Host ("[+] Clock skew with '{0}': {1:N0}s (OK)." -f $Server, $skewSeconds)
        }
    } catch {
        Write-Warning ("Could not check clock skew against '{0}': {1}" -f $Server, $_.Exception.Message)
    }
 }
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Elysium.ps1                            ##
-## Version: 2.2.2                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: ElysiumSettings.txt                    ##
-## Version: 2.2.2                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Extract-NTHashes.ps1                   ##
-## Version: 2.2.2                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Prepare-KHDBStorage.ps1                ##
-## Version: 2.2.2                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Test-WeakADPasswords.ps1               ##
-## Version: 2.2.2                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
@@ -352,7 +352,14 @@ function Import-CompatModule {
        $nonFipsErrors = @($importErrors | Where-Object { $_.Exception.Message -notmatch 'Only FIPS certified cryptographic algorithms are enabled in \.NET' })
        if ($nonFipsErrors.Count -gt 0) {
-            Write-Warning ("DSInternals import reported non-fatal warning(s): {0}" -f $nonFipsErrors[0].Exception.Message)
+            $nonFipsMsg = $nonFipsErrors[0].Exception.Message
            if ($nonFipsMsg -match 'Zone\.Identifier|alternate data stream') {
                $dsModule = Get-Module -Name DSInternals -ErrorAction SilentlyContinue
                if (-not $dsModule) { $dsModule = Get-Module -ListAvailable -Name DSInternals -ErrorAction SilentlyContinue | Select-Object -First 1 }
                $dsPath = if ($dsModule) { $dsModule.ModuleBase } else { '<DSInternals module path>' }
                throw ("DSInternals native DLL is blocked by Windows (Zone.Identifier). Run the following on the target machine and retry:`n  Get-ChildItem -Path '$dsPath' -Recurse | Unblock-File")
            }
            Write-Warning ("DSInternals import reported non-fatal warning(s): {0}" -f $nonFipsMsg)
        }
        Write-Verbose ("Imported module '{0}' (Core={1}, Windows={2})" -f $Name, $runningInPSCore, $onWindows)
@@ -385,6 +392,28 @@ try {
    }
 }
 # Version check: v6.2 was unsigned (blocks native DLLs, causes replication failures);
 # v7.0 fixes intermittent CRC errors mid-replication and Test-PasswordQuality result truncation.
 $dsInternalsVersion = (Get-Module -Name DSInternals).Version
 $minimumVersion = [version]'7.0'
 $unsignedVersion = [version]'6.2'
 if ($dsInternalsVersion -eq $unsignedVersion) {
    Write-Warning ("DSInternals {0} is not digitally signed, which blocks its native DLLs and causes replication failures. Update to v7.0+: Install-Module DSInternals -Force -AllowClobber" -f $dsInternalsVersion)
 } elseif ($dsInternalsVersion -lt $minimumVersion) {
    $resp = Read-Host ("DSInternals {0} is installed; v7.0 fixes intermittent replication CRC errors and result truncation. Update now? [Y/N]" -f $dsInternalsVersion)
    if ($resp -match '^(?i:y|yes)$') {
        try {
            # Install-Module -Force is used instead of Update-Module to avoid a PowerShellGet bug
            # where null PublishedDate metadata causes "cannot convert null to type system.datetime"
            Install-Module -Name DSInternals -Force -AllowClobber -ErrorAction Stop
            Write-Host '[+] DSInternals updated. Please re-run the script to load the new version.'
            exit 0
        } catch {
            Write-Warning ("DSInternals update failed: {0}" -f $_.Exception.Message)
        }
    }
 }
 # Resolve KHDB path with fallbacks
 $installationPath = $ElysiumSettings["InstallationPath"]
 if ([string]::IsNullOrWhiteSpace($installationPath)) { $installationPath = $scriptRoot }
@@ -575,9 +604,10 @@ function Test-WeakADPasswords {
        Write-Verbose ("Using credential supplied by caller: {0}" -f $credential.UserName)
    }
-    # Verify the account has the three replication extended rights before attempting DCSync
+    # Pre-flight checks before attempting DCSync
    try {
        $domainInfo = Get-ADDomain -Server $selectedDomain["DC"] -Credential $credential -ErrorAction Stop
        Test-DCClockSkew -Server $selectedDomain["DC"] -Credential $credential
        Test-ReplicationPermissions -DomainDN $domainInfo.DistinguishedName `
            -Server $selectedDomain["DC"] -Credential $credential
    } catch {
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Uninstall.ps1                          ##
-## Version: 2.2.2                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Update-KHDB.ps1                        ##
-## Version: 2.2.2                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Update-LithnetStore.ps1                ##
-## Version: 2.2.2                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
Author	SHA1	Message	Date
tomas.kracmar	af945f529e	Release v2.4.3: fix tokenGroups retrieval and DirectoryEntry LDAP paths Test-ReplicationPermissions: - Replaced DirectoryEntry.RefreshCache tokenGroups retrieval with Get-ADUser -Properties tokenGroups. DirectoryEntry does not understand URI percent-encoding, so the v2.4.1 EscapeDataString fix caused 'invalid dn syntax' errors. - Removed EscapeDataString from the ACL DirectoryEntry path as well; DirectoryEntry expects raw LDAP ADSI path syntax. All versions bumped to unified v2.4.3.	2026-06-09 14:14:45 +02:00
tomas.kracmar	03aa72f999	Release v2.4.2: replace em-dashes with ASCII hyphens to fix encoding parse errors UTF-8 em-dashes (U+2014) in Elysium.Common.ps1 string literals were being misinterpreted by Windows PowerShell as containing quote characters when the file was read without a UTF-8 BOM. This caused cascading parse errors: unexpected tokens, missing closing braces, and missing catch blocks. All em-dashes in .ps1 files have been replaced with ASCII hyphens. All versions bumped to unified v2.4.2.	2026-06-09 13:51:13 +02:00
tomas.kracmar	10cbf0285d	Release v2.4.1: URI-escape DNs in DirectoryEntry LDAP URLs Test-ReplicationPermissions and Test-DCClockSkew now escape Distinguished Names via [System.Uri]::EscapeDataString before constructing DirectoryEntry LDAP URLs. This prevents URL mis-parsing when DNs contain /, #, or other reserved characters. All versions bumped to unified v2.4.1.	2026-06-09 13:42:34 +02:00
tomas.kracmar	fc91f0d6b0	Release v2.4.0: DC clock skew check, SDProp/Protected Users warnings, and DSInternals install fix Added pre-flight diagnostics: - Test-DCClockSkew: validates local/DC clock skew before DCSync to catch Kerberos auth failures early. - Test-ReplicationPermissions now warns on adminCount=1 (SDProp protected) and Protected Users group membership (RID 525), both of which can silently block or revert replication rights. Fixed DSInternals update flow: - Replaced Update-Module with Install-Module -Force -AllowClobber to work around a PowerShellGet null PublishedDate bug. All versions bumped to unified v2.4.0.	2026-06-09 13:32:21 +02:00
tomas.kracmar	6b2ae6c8b5	Release v2.3.0: add DSInternals version check and auto-update Test-WeakADPasswords.ps1 now validates the installed DSInternals version at startup: - v6.2 (unsigned) warns that native DLLs are blocked and replication will fail; directs operator to Update-Module DSInternals. - Below v7.0 prompts to auto-update via Update-Module -Force and exits cleanly so the new version is loaded on re-run. - v7.0+ passes silently. All versions bumped to unified v2.3.0.	2026-06-09 13:16:47 +02:00
tomas.kracmar	37d1a8d971	Release v2.2.5: resolve DSInternals module path in block error The Zone.Identifier block detection now dynamically resolves the actual DSInternals module installation path via Get-Module instead of hardcoding a ProgramFiles path, so the Unblock-File command in the error message is always correct. All versions bumped to unified v2.2.5.	2026-06-09 13:10:36 +02:00
tomas.kracmar	0175864e72	Release v2.2.4: permission check InheritOnly fix and DSInternals block detection Test-ReplicationPermissions: - Skip InheritOnly ACEs since they do not apply to the domain root object itself, only to child objects. Test-WeakADPasswords: - Detect Windows Zone.Identifier blocks on DSInternals DLLs and emit a clear error with the exact Unblock-File remediation command instead of a vague warning. All versions bumped to unified v2.2.4.	2026-06-09 13:07:46 +02:00
tomas.kracmar	9496063b97	Release v2.2.3: improve replication permission detection Test-ReplicationPermissions now recognizes: - GenericAll as satisfying replication rights - Blanket ExtendedRight (empty ObjectType) ACEs Also adds diagnostic hints distinguishing between 'missing ACE entirely' and 'ACE exists but not for you'. All versions bumped to unified v2.2.3.	2026-06-09 11:53:44 +02:00