Friday Mail Sack – Very Late Edition

Hi Folks, Ned again. It’s been crazy busy here – sorry for the delay. Hopefully you weren’t sitting around refreshing the page all day.

Not that there’s anything wrong with that.

Question

We have a Windows Server 2003 domain and administrators are running Windows 7 with the latest GPMC installed from RSAT. Is it ok for them to be updating policies that affect Windows XP and Windows 2000 machines?

Answer

Yep, it’s ok. We are pretty good about backwards compatibility (take that Apple!). The only exception to this that I am aware of is a specific bug around the – thankfully not used much anymore – legacy policy setting called “Run only allowed Windows Applications.” Read more on this here:

KB976922    The “Run only allowed Windows applications” Group Policy setting displays no entries on a computer that is running Windows Vista, Windows Server 2008, or Windows 7
http://support.microsoft.com/default.aspx?scid=kb;EN-US;976922

Question

Is it possible to enter new Group Policy Preferences items using command line? I’m converting hundreds of entries from logon scripts and it would speed things up.

Answer

Yes and no. Starting in Win7/08R2, there is a PowerShell module included to add GPP registry settings:

Set-GPPrefRegistryValue – http://technet.microsoft.com/en-us/library/ee461036.aspx

But if you wanted to modify other elements in the GPP XML files, you will have to roll your own, I’m afraid.

Question

Is there any way to tell if an Active Directory domain was originally in-place upgraded (not migrated) from NT 4.0?

(This question courtesy of one of our MVP friends that will remain nameless unless he wants to be disclosed, and who always finds difficult puzzles for us).

Update: It’s Yusuf Dikmenoglu!

Answer

1. The description of the out-of-the-way built-in security group cn=users,cn=builtin,dc=contoso,dc=com will have these differences:

NT 4.0 upgraded: “Ordinary Users”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.

2. The description of the out-of-the-way built-in security group cn=guests,cn=builtin,dc=contoso,dc=com will have these differences:

NT 4.0 upgraded: “Users granted guest access to the computer/domain”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.

3. The description of the out-of-the-way built-in security group cn=administrators,cn=builtin,dc=contoso,dc=com will have these differences:

NT 4.0 upgraded: “Members can fully administer the computer/domain”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.

4. The description of the out-of-the-way built-in security group cn=backup operators,cn=builtin,dc=contoso,dc=com will have these differences:

NT 4.0 upgraded: “Members can bypass file security to back up files”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.

Obviously, my solution is not ironclad. It is reasonable to presuppose that most customers would never change the descriptions on these objects (why bother?); plus, the objects cannot be moved or deleted.

If you find another way that’s more guaranteed, please share it. It’s an interesting exercise.

Update: More good ideas have appeared in the comments!

Until next time.

– Ned “6a” Pyle