Release v2.4.3: fix tokenGroups retrieval and DirectoryEntry LDAP paths

Test-ReplicationPermissions: - Replaced DirectoryEntry.RefreshCache tokenGroups retrieval with Get-ADUser -Properties tokenGroups. DirectoryEntry does not understand URI percent-encoding, so the v2.4.1 EscapeDataString fix caused 'invalid dn syntax' errors. - Removed EscapeDataString from the ACL DirectoryEntry path as well; DirectoryEntry expects raw LDAP ADSI path syntax. All versions bumped to unified v2.4.3.
Release v2.4.2: replace em-dashes with ASCII hyphens to fix encoding parse errors
2026-06-09 14:14:45 +02:00 · 2026-06-09 13:51:13 +02:00 · 2026-06-09 13:42:34 +02:00 · 2026-06-09 13:32:21 +02:00 · 2026-06-09 13:16:47 +02:00
11 changed files with 128 additions and 23 deletions
@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Bump-Version.ps1                       ##
-## Version: 2.2.5                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################

@@ -149,7 +149,7 @@ if (-not $SkipChangelog) {

 ---

-## [$NewVersion] — $today
+## [$NewVersion] - $today

 ### Changed
 - (describe your change here)
@@ -6,6 +6,50 @@ Starting with **v2.2.0**, Elysium uses a **unified project version**. All script

 ---

+## [2.4.3] — 2026-06-09
+
+### Fixed
+- Replaced the `DirectoryEntry` + `RefreshCache` tokenGroups retrieval in `Test-ReplicationPermissions` with `Get-ADUser -Properties tokenGroups`. The previous `DirectoryEntry` approach was broken by the v2.4.1 URI-escaping "fix" (`EscapeDataString` produces percent-encoded paths that ADSI `DirectoryEntry` cannot parse, causing "invalid dn syntax" errors).
+- Removed `EscapeDataString` from the ACL-reading `DirectoryEntry` path in `Test-ReplicationPermissions` as well, since `DirectoryEntry` expects raw LDAP path syntax, not URI encoding.
+
+---
+
+## [2.4.2] — 2026-06-09
+
+### Fixed
+- Replaced UTF-8 em-dashes (`\u2014`) in `Elysium.Common.ps1` and `Bump-Version.ps1` with ASCII hyphens. On Windows PowerShell without a UTF-8 BOM, the three-byte em-dash sequence was misinterpreted as containing a quote character, causing cascading parse errors (unexpected token, missing closing `)`/`}`/`catch`, etc.).
+
+---
+
+## [2.4.1] — 2026-06-09
+
+### Fixed
+- `Test-ReplicationPermissions` and `Test-DCClockSkew` now URI-escape Distinguished Names via `[System.Uri]::EscapeDataString` before embedding them in `DirectoryEntry` LDAP URLs. DNs containing `/`, `#`, or other reserved characters previously caused URL mis-parsing and constructor failures.
+
+---
+
+## [2.4.0] — 2026-06-09
+
+### Added
+- **DC clock skew pre-flight check** (`Test-DCClockSkew` in `Elysium.Common.ps1`): compares the local machine clock against the target DC's `RootDSE.currentTime` before attempting DCSync. Warns if skew exceeds 300s (Kerberos hard limit) or 60s (approaching limit), and provides the `w32tm /resync /force` remediation command.
+- **SDProp protection warning** in `Test-ReplicationPermissions`: detects `adminCount=1` on the service account and warns that SDProp runs every 60 minutes and may silently revert replication rights or group memberships.
+- **Protected Users group warning** in `Test-ReplicationPermissions`: detects membership in the Protected Users group (RID 525) and warns that it restricts Kerberos delegation and RC4 authentication required by DSInternals for DRS replication.
+
+### Fixed
+- DSInternals auto-update flow now uses `Install-Module -Force -AllowClobber` instead of `Update-Module` to avoid a PowerShellGet bug where null `PublishedDate` metadata causes "cannot convert null to type system.datetime".
+
+---
+
+## [2.3.0] — 2026-06-09
+
+### Added
+- `Test-WeakADPasswords.ps1` now checks the installed DSInternals version at startup:
+  - **v6.2** (unsigned) is flagged with a warning explaining that unsigned native DLLs are blocked and replication will fail. Remediation: `Update-Module DSInternals`.
+  - **Below v7.0** triggers an interactive prompt offering to run `Update-Module DSInternals -Force` automatically. If accepted, the script updates the module and exits cleanly so the operator can re-run with the new version loaded.
+  - v7.0+ is required because it fixes intermittent CRC errors mid-replication and `Test-PasswordQuality` result truncation bugs.
+
+---
+
 ## [2.2.5] — 2026-06-09

 ### Fixed
@@ -1,4 +1,4 @@
-$script:ElysiumVersion = '2.2.5'
+$script:ElysiumVersion = '2.4.3'

 function Invoke-RestartWithExecutable {
    param(
@@ -338,21 +338,30 @@ function Test-ReplicationPermissions {
    try {
        $samName = $Credential.UserName -replace '^.*\\', ''
        $adUser = Get-ADUser -Identity $samName -Server $Server -Credential $Credential `
-            -Properties SID, DistinguishedName -ErrorAction Stop
+            -Properties SID, DistinguishedName, adminCount -ErrorAction Stop
        [void]$callerSids.Add($adUser.SID.Value)

        # tokenGroups is a constructed attribute containing all SIDs in the user's token,
-        # including nested group memberships — more reliable than walking MemberOf recursively
-        $userDe = New-Object System.DirectoryServices.DirectoryEntry(
-            "LDAP://$Server/$($adUser.DistinguishedName)",
-            $Credential.UserName,
-            $Credential.GetNetworkCredential().Password
-        )
-        $userDe.RefreshCache(@('tokenGroups'))
-        foreach ($sidBytes in $userDe.Properties['tokenGroups']) {
-            $sid = New-Object System.Security.Principal.SecurityIdentifier($sidBytes, 0)
+        # including nested group memberships - more reliable than walking MemberOf recursively
+        $adUserWithTokenGroups = Get-ADUser -Identity $samName -Server $Server -Credential $Credential `
+            -Properties tokenGroups -ErrorAction Stop
+        foreach ($sidBytes in $adUserWithTokenGroups.tokenGroups) {
+            $sid = New-Object System.Security.Principal.SecurityIdentifier(@([byte[]]$sidBytes), 0)
            [void]$callerSids.Add($sid.Value)
        }
+
+        # adminCount=1 means SDProp is managing this account; it runs every 60 min and can
+        # silently revert replication rights or group memberships granted to the account
+        if ($adUser.adminCount -eq 1) {
+            Write-Warning ("Account '{0}' has adminCount=1 (SDProp-protected). It is or was a member of a privileged group. SDProp runs every 60 minutes and may silently revert replication rights or group memberships on this account." -f $Credential.UserName)
+        }
+
+        # Protected Users group (RID 525) blocks the Kerberos mechanisms DSInternals uses for DRS
+        $domainSidStr = $adUser.SID.Value.Substring(0, $adUser.SID.Value.LastIndexOf('-'))
+        $protectedUsersSid = "$domainSidStr-525"
+        if ($callerSids.Contains($protectedUsersSid)) {
+            Write-Warning ("Account '{0}' is a member of Protected Users. This group restricts Kerberos delegation and RC4 authentication that DSInternals requires for DRS replication - access will be denied regardless of assigned rights." -f $Credential.UserName)
+        }
    } catch {
        Write-Warning ("Could not resolve account SIDs for replication permission pre-check: {0}. Skipping." -f $_.Exception.Message)
        return
@@ -379,7 +388,7 @@ function Test-ReplicationPermissions {
        $aceExistsForGuid = $false
        foreach ($ace in $acl) {
            if ($ace.AccessControlType -ne [System.Security.AccessControl.AccessControlType]::Allow) { continue }
-            # InheritOnly ACEs apply to child objects only — the domain root itself is not covered
+            # InheritOnly ACEs apply to child objects only - the domain root itself is not covered
            if ([bool]($ace.PropagationFlags -band [System.Security.AccessControl.PropagationFlags]::InheritOnly)) { continue }
            $rights        = $ace.ActiveDirectoryRights
            $hasExtended   = [bool]($rights -band [System.DirectoryServices.ActiveDirectoryRights]::ExtendedRight)
@@ -409,3 +418,32 @@ function Test-ReplicationPermissions {

    Write-Host ("[+] Replication permissions verified for '{0}'." -f $Credential.UserName)
 }
+
+function Test-DCClockSkew {
+    param(
+        [Parameter(Mandatory)][string]$Server,
+        [Parameter(Mandatory)][System.Management.Automation.PSCredential]$Credential
+    )
+    try {
+        $rootDse = New-Object System.DirectoryServices.DirectoryEntry(
+            "LDAP://$Server/RootDSE",
+            $Credential.UserName,
+            $Credential.GetNetworkCredential().Password
+        )
+        $dcTimeStr = $rootDse.Properties['currentTime'][0]
+        $dcTime = [datetime]::ParseExact(
+            $dcTimeStr, 'yyyyMMddHHmmss.0Z',
+            [System.Globalization.CultureInfo]::InvariantCulture,
+            [System.Globalization.DateTimeStyles]::AssumeUniversal).ToUniversalTime()
+        $skewSeconds = [Math]::Abs(([datetime]::UtcNow - $dcTime).TotalSeconds)
+        if ($skewSeconds -gt 300) {
+            Write-Warning ("Clock skew of {0:N0}s with '{1}' exceeds Kerberos limit of 300s - authentication will fail. Sync the clock: w32tm /resync /force" -f $skewSeconds, $Server)
+        } elseif ($skewSeconds -gt 60) {
+            Write-Warning ("Clock skew of {0:N0}s detected with '{1}'. Kerberos allows up to 300s - approaching the limit." -f $skewSeconds, $Server)
+        } else {
+            Write-Host ("[+] Clock skew with '{0}': {1:N0}s (OK)." -f $Server, $skewSeconds)
+        }
+    } catch {
+        Write-Warning ("Could not check clock skew against '{0}': {1}" -f $Server, $_.Exception.Message)
+    }
+}
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Elysium.ps1                            ##
-## Version: 2.2.5                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################

@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: ElysiumSettings.txt                    ##
-## Version: 2.2.5                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Extract-NTHashes.ps1                   ##
-## Version: 2.2.5                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Prepare-KHDBStorage.ps1                ##
-## Version: 2.2.5                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################

@@ -8,7 +8,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Test-WeakADPasswords.ps1               ##
-## Version: 2.2.5                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################

@@ -392,6 +392,28 @@ try {
    }
 }

+# Version check: v6.2 was unsigned (blocks native DLLs, causes replication failures);
+# v7.0 fixes intermittent CRC errors mid-replication and Test-PasswordQuality result truncation.
+$dsInternalsVersion = (Get-Module -Name DSInternals).Version
+$minimumVersion = [version]'7.0'
+$unsignedVersion = [version]'6.2'
+if ($dsInternalsVersion -eq $unsignedVersion) {
+    Write-Warning ("DSInternals {0} is not digitally signed, which blocks its native DLLs and causes replication failures. Update to v7.0+: Install-Module DSInternals -Force -AllowClobber" -f $dsInternalsVersion)
+} elseif ($dsInternalsVersion -lt $minimumVersion) {
+    $resp = Read-Host ("DSInternals {0} is installed; v7.0 fixes intermittent replication CRC errors and result truncation. Update now? [Y/N]" -f $dsInternalsVersion)
+    if ($resp -match '^(?i:y|yes)$') {
+        try {
+            # Install-Module -Force is used instead of Update-Module to avoid a PowerShellGet bug
+            # where null PublishedDate metadata causes "cannot convert null to type system.datetime"
+            Install-Module -Name DSInternals -Force -AllowClobber -ErrorAction Stop
+            Write-Host '[+] DSInternals updated. Please re-run the script to load the new version.'
+            exit 0
+        } catch {
+            Write-Warning ("DSInternals update failed: {0}" -f $_.Exception.Message)
+        }
+    }
+}
+
 # Resolve KHDB path with fallbacks
 $installationPath = $ElysiumSettings["InstallationPath"]
 if ([string]::IsNullOrWhiteSpace($installationPath)) { $installationPath = $scriptRoot }
@@ -582,9 +604,10 @@ function Test-WeakADPasswords {
        Write-Verbose ("Using credential supplied by caller: {0}" -f $credential.UserName)
    }

-    # Verify the account has the three replication extended rights before attempting DCSync
+    # Pre-flight checks before attempting DCSync
    try {
        $domainInfo = Get-ADDomain -Server $selectedDomain["DC"] -Credential $credential -ErrorAction Stop
+        Test-DCClockSkew -Server $selectedDomain["DC"] -Credential $credential
        Test-ReplicationPermissions -DomainDN $domainInfo.DistinguishedName `
            -Server $selectedDomain["DC"] -Credential $credential
    } catch {
@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Uninstall.ps1                          ##
-## Version: 2.2.5                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Update-KHDB.ps1                        ##
-## Version: 2.2.5                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################

@@ -7,7 +7,7 @@
 ##################################################
 ## Project: Elysium                             ##
 ## File: Update-LithnetStore.ps1                ##
-## Version: 2.2.5                               ##
+## Version: 2.4.3                               ##
 ## Support: support@cqre.net                    ##
 ##################################################
Author	SHA1	Message	Date
tomas.kracmar	af945f529e	Release v2.4.3: fix tokenGroups retrieval and DirectoryEntry LDAP paths Test-ReplicationPermissions: - Replaced DirectoryEntry.RefreshCache tokenGroups retrieval with Get-ADUser -Properties tokenGroups. DirectoryEntry does not understand URI percent-encoding, so the v2.4.1 EscapeDataString fix caused 'invalid dn syntax' errors. - Removed EscapeDataString from the ACL DirectoryEntry path as well; DirectoryEntry expects raw LDAP ADSI path syntax. All versions bumped to unified v2.4.3.	2026-06-09 14:14:45 +02:00
tomas.kracmar	03aa72f999	Release v2.4.2: replace em-dashes with ASCII hyphens to fix encoding parse errors UTF-8 em-dashes (U+2014) in Elysium.Common.ps1 string literals were being misinterpreted by Windows PowerShell as containing quote characters when the file was read without a UTF-8 BOM. This caused cascading parse errors: unexpected tokens, missing closing braces, and missing catch blocks. All em-dashes in .ps1 files have been replaced with ASCII hyphens. All versions bumped to unified v2.4.2.	2026-06-09 13:51:13 +02:00
tomas.kracmar	10cbf0285d	Release v2.4.1: URI-escape DNs in DirectoryEntry LDAP URLs Test-ReplicationPermissions and Test-DCClockSkew now escape Distinguished Names via [System.Uri]::EscapeDataString before constructing DirectoryEntry LDAP URLs. This prevents URL mis-parsing when DNs contain /, #, or other reserved characters. All versions bumped to unified v2.4.1.	2026-06-09 13:42:34 +02:00
tomas.kracmar	fc91f0d6b0	Release v2.4.0: DC clock skew check, SDProp/Protected Users warnings, and DSInternals install fix Added pre-flight diagnostics: - Test-DCClockSkew: validates local/DC clock skew before DCSync to catch Kerberos auth failures early. - Test-ReplicationPermissions now warns on adminCount=1 (SDProp protected) and Protected Users group membership (RID 525), both of which can silently block or revert replication rights. Fixed DSInternals update flow: - Replaced Update-Module with Install-Module -Force -AllowClobber to work around a PowerShellGet null PublishedDate bug. All versions bumped to unified v2.4.0.	2026-06-09 13:32:21 +02:00
tomas.kracmar	6b2ae6c8b5	Release v2.3.0: add DSInternals version check and auto-update Test-WeakADPasswords.ps1 now validates the installed DSInternals version at startup: - v6.2 (unsigned) warns that native DLLs are blocked and replication will fail; directs operator to Update-Module DSInternals. - Below v7.0 prompts to auto-update via Update-Module -Force and exits cleanly so the new version is loaded on re-run. - v7.0+ passes silently. All versions bumped to unified v2.3.0.	2026-06-09 13:16:47 +02:00