First published on TechNet on Feb 26, 2010
Hi Folks, Ned again. It’s been crazy busy here – sorry for the delay. Hopefully you weren’t sitting around refreshing the page all day.
Not that there’s anything wrong with that.
We have a Windows Server 2003 domain and administrators are running Windows 7 with the latest GPMC installed from RSAT. Is it ok for them to be updating policies that affect Windows XP and Windows 2000 machines?
Yep, it’s ok. We are pretty good about backwards compatibility (take that Apple!). The only exception to this that I am aware of is a specific bug around the – thankfully not used much anymore – legacy policy setting called “Run only allowed Windows Applications.” Read more on this here:
Is it possible to enter new Group Policy Preferences items using command line? I’m converting hundreds of entries from logon scripts and it would speed things up.
Yes and no. Starting in Win7/08R2, there is a PowerShell module included to add GPP registry settings:
But if you wanted to modify other elements in the GPP XML files, you will have to roll your own, I’m afraid.
Is there any way to tell if an Active Directory domain was originally in-place upgraded (not migrated) from NT 4.0?
(This question courtesy of one of our MVP friends that will remain nameless unless he wants to be disclosed, and who always finds difficult puzzles for us).
Update: It's Yusuf Dikmenoglu!
1. The description of the out-of-the-way built-in security group cn=users,cn=builtin,dc= contoso ,dc= com will have these differences:
2. The description of the out-of-the-way built-in security group cn=guests,cn=builtin,dc= contoso ,dc= com will have these differences:
3. The description of the out-of-the-way built-in security group cn=administrators,cn=builtin,dc= contoso ,dc= com will have these differences:
4. The description of the out-of-the-way built-in security group cn=backup operators,cn=builtin,dc= contoso ,dc= com will have these differences:
Obviously, my solution is not ironclad. It is reasonable to presuppose that most customers would never change the descriptions on these objects (why bother?); plus, the objects cannot be moved or deleted.
If you find another way that’s more guaranteed, please share it. It’s an interesting exercise.
Update: More good ideas have appeared in the comments!
Until next time.
- Ned “6a” Pyle
Hi Folks, Ned again. It’s been crazy busy here – sorry for the delay. Hopefully you weren’t sitting around refreshing the page all day.
Not that there’s anything wrong with that.
Question
We have a Windows Server 2003 domain and administrators are running Windows 7 with the latest GPMC installed from RSAT. Is it ok for them to be updating policies that affect Windows XP and Windows 2000 machines?
Answer
Yep, it’s ok. We are pretty good about backwards compatibility (take that Apple!). The only exception to this that I am aware of is a specific bug around the – thankfully not used much anymore – legacy policy setting called “Run only allowed Windows Applications.” Read more on this here:
KB976922 The "Run only allowed Windows applications" Group Policy setting displays no entries on a computer that is running Windows Vista, Windows Server 2008, or Windows 7
http://support.microsoft.com/default.aspx?scid=kb;EN-US;976922
Question
Is it possible to enter new Group Policy Preferences items using command line? I’m converting hundreds of entries from logon scripts and it would speed things up.
Answer
Yes and no. Starting in Win7/08R2, there is a PowerShell module included to add GPP registry settings:
Set-GPPrefRegistryValue - http://technet.microsoft.com/en-us/library/ee461036.aspx
But if you wanted to modify other elements in the GPP XML files, you will have to roll your own, I’m afraid.
Question
Is there any way to tell if an Active Directory domain was originally in-place upgraded (not migrated) from NT 4.0?
(This question courtesy of one of our MVP friends that will remain nameless unless he wants to be disclosed, and who always finds difficult puzzles for us).
Update: It's Yusuf Dikmenoglu!
Answer
1. The description of the out-of-the-way built-in security group cn=users,cn=builtin,dc= contoso ,dc= com will have these differences:
NT 4.0 upgraded: “Ordinary Users”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.
2. The description of the out-of-the-way built-in security group cn=guests,cn=builtin,dc= contoso ,dc= com will have these differences:
NT 4.0 upgraded: “Users granted guest access to the computer/domain”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.
3. The description of the out-of-the-way built-in security group cn=administrators,cn=builtin,dc= contoso ,dc= com will have these differences:
NT 4.0 upgraded: “Members can fully administer the computer/domain”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.
4. The description of the out-of-the-way built-in security group cn=backup operators,cn=builtin,dc= contoso ,dc= com will have these differences:
NT 4.0 upgraded: “Members can bypass file security to back up files”
Not NT 4.0 upgraded: various other completely different wording, depending on OS.
Obviously, my solution is not ironclad. It is reasonable to presuppose that most customers would never change the descriptions on these objects (why bother?); plus, the objects cannot be moved or deleted.
If you find another way that’s more guaranteed, please share it. It’s an interesting exercise.
Update: More good ideas have appeared in the comments!
Until next time.
- Ned “6a” Pyle
Updated Apr 04, 2019
Version 2.0
NedPyle
Microsoft
Microsoft