Friday Mail Sack – Very Late Edition

Friday Mail Sack – Very Late Edition

  • Comments 5
  • Likes

Hi Folks. It’s been crazy busy here – sorry for the delay. Hopefully you weren’t sitting around refreshing the page all day.

Not that there’s anything wrong with that.

Question

We have a Windows Server 2003 domain and administrators are running Windows 7 with the latest GPMC installed from RSAT. Is it ok for them to be updating policies that affect Windows XP and Windows 2000 machines?

Answer

Yep, it’s ok. We are pretty good about backwards compatibility (take that Apple!). The only exception to this that I am aware of is a specific bug around the – thankfully not used much anymore – legacy policy setting called “Run only allowed Windows Applications.” Read more on this here:

KB976922    The "Run only allowed Windows applications" Group Policy setting displays no entries on a computer that is running Windows Vista, Windows Server 2008, or Windows 7
http://support.microsoft.com/default.aspx?scid=kb;EN-US;976922

Question

Is it possible to enter new Group Policy Preferences items using command line? I’m converting hundreds of entries from logon scripts and it would speed things up.

Answer

Yes and no. Starting in Win7/08R2, there is a PowerShell module included to add GPP registry settings:

Set-GPPrefRegistryValue - http://technet.microsoft.com/en-us/library/ee461036.aspx

But if you wanted to modify other elements in the GPP XML files, you will have to roll your own, I’m afraid.

Question

Is there any way to tell if an Active Directory domain was originally in-place upgraded (not migrated) from NT 4.0?

(This question courtesy of one of our MVP friends that will remain nameless unless he wants to be disclosed, and who always finds difficult puzzles for us).

Update: It's Yusuf Dikmenoglu!

Answer

1. The description of the out-of-the-way built-in security group cn=users,cn=builtin,dc=contoso,dc=com will have these differences:

NT 4.0 upgraded: “Ordinary Users”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.

2. The description of the out-of-the-way built-in security group cn=guests,cn=builtin,dc=contoso,dc=com will have these differences:

NT 4.0 upgraded: “Users granted guest access to the computer/domain”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.

3. The description of the out-of-the-way built-in security group cn=administrators,cn=builtin,dc=contoso,dc=com will have these differences:

NT 4.0 upgraded: “Members can fully administer the computer/domain”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.

4. The description of the out-of-the-way built-in security group cn=backup operators,cn=builtin,dc=contoso,dc=com will have these differences:

NT 4.0 upgraded: “Members can bypass file security to back up files”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.

Obviously, my solution is not ironclad. It is reasonable to presuppose that most customers would never change the descriptions on these objects (why bother?); plus, the objects cannot be moved or deleted.

If you find another way that’s more guaranteed, please share it. It’s an interesting exercise.

Update: More good ideas have appeared in the comments!

Until next time.

- Ned “6a” Pyle

  • Hello Ned,

    it would be an honor for me, if you would publish my name on the "one-and-only" AD-Blog. ;-)

    Another guaranteed option is, if the NetBIOS domain name have a point in the Name. Example: "Company.com". Then the domain was 100% upgraded from a NT- to a AD-Domain.

    Best Regards

    Yusuf Dikmenoglu

  • The presence of the replicator group is another potential indicator

  • Is there a way I can find out who created an object in AD?

  • Yes, via auditing. What OS are your DC's?

  • A "back door" way to give you an idea would be to find out the 'create time' for the domain and then see how many users, groups, computers you can find with a create time that was at *about* the same time. It's unlikely someone is going to create a boat load of objects at the time the domain is created so if you have a bunch of stuff created at about that time, it is likely an upgrade. A simple two one-liners approach would be to use PowerShell (with Quest cmdlets)or you may use ADWS as well.

    Get-QADobject "dc=notsogood,dc=domain" | select creationdate

    (For instance if the result were ->) 6/14/2008  2:25:03 AM    

    Then do this, to find out how many users were created that day, and so forth and so on for other objects.

    Get-QADUser -sl 0 -createdon (get-date).adddays(-416) | measure-object