How to check AD DS domain/forest functional level from domain joined workstation?
772
Is it possible to define AD DS domain/forest functional levels from domain joined workstation? Preferably through CLI/PS and if possible w/o Domain Admin rights...
How I can accomplish it?
The following Powershell does not require admin or domain admin access, I've tested as a limited user on a domain-joined workstation with Powershell v2/v3. It does not require any third party tools or Powershell modules.
Just a complementary solution to the accepted answer, as I ended up here more or less with the same need. The difference is one gets the level name decoded:
For a GUI-based approach you can use Active Directory Explorer. Right-click on domain top node, click Properties and check the value of domainControllerFunctionality, domainFunctionality or forestFunctionality. They have integer values corresponding to:
You need to ask this question a little differently, because I'm not sure what you are trying to do- The way this reads is that you want a powershell script or batch file that can perform extremely administrative tasks without running as a user that is able to perform those tasks. If that's what you are asking, it's not possible, by design.
However, if you are asking about administering AD from a workstation, by handing a user a script that can run commands the user otherwise would not be able to (i.e. you want to query AD from an unprivileged service account), we would need to know what version of Powershell you are using, and what version of Server you are using.
You might also consider AD web services for one-at-a-time tasks that you wish to delegate.
From a TechNet post:
Run The below DSQUERY
Dsquery * CN=Partitions,CN=Configuration,DC=Mydomain,DC=com -scope base -attr msDS-Behavior-Version
Output:
msDS-Behavior-Version
2
The attributes that indicates DFL and FFL:
- Forest level setting
1=Windows Server 2003 interim forest level
2=Windows Server 2003 forest level
3=Windows Server 2008 forest level
Domain level setting
Name: msDS-Behavior-Version
Path: DC=, DC=, DC=com (domain root)
Value: 0 or not set=mixed level domain
1=Windows Server 2003 domain level
2=Windows Server 2003 domain level
3=Windows Server 2008 domain level
Mixed/Native mode setting
Name: ntMixedDomain
Path: DC=, DC=, DC=com (domain root)
Value: 0=Native level domain
1=Mixed level domain
I'm not sure about the role requirements of the user to run this, but you're not changing anything with it and it's all using DSQUERY (From the RSAT, free download from Microsoft). Comment if we need to look at that end of it.
The following Powershell does not require admin or domain admin access, I've tested as a limited user on a domain-joined workstation with Powershell v2/v3. It does not require any third party tools or Powershell modules.
The values returned will represent a distinct functional level:
References:
Just a complementary solution to the accepted answer, as I ended up here more or less with the same need. The difference is one gets the level name decoded:
You just want to check it or actually change it? Changing it would require certain administrative rights on the domain/forest.
The easiest way I can think of without dsquery or PS Get-ADDomain (which would require importing the AD module) is to use Joeware's ADFIND command.
http://www.joeware.net/freetools/tools/adfind/
Example output from my domain:
For a GUI-based approach you can use Active Directory Explorer. Right-click on domain top node, click Properties and check the value of domainControllerFunctionality, domainFunctionality or forestFunctionality. They have integer values corresponding to:
0 = Win 2000
1 = Win 2003 mixed/interim
2 = Win 2003
3 = Win 2008
4 = Win 2008 R2
5 = Win 2012
6 = Win 2012 R2
7 = Win 2016
You need to ask this question a little differently, because I'm not sure what you are trying to do- The way this reads is that you want a powershell script or batch file that can perform extremely administrative tasks without running as a user that is able to perform those tasks. If that's what you are asking, it's not possible, by design.
However, if you are asking about administering AD from a workstation, by handing a user a script that can run commands the user otherwise would not be able to (i.e. you want to query AD from an unprivileged service account), we would need to know what version of Powershell you are using, and what version of Server you are using.
You might also consider AD web services for one-at-a-time tasks that you wish to delegate.
From a TechNet post: Run The below DSQUERY
Dsquery * CN=Partitions,CN=Configuration,DC=Mydomain,DC=com -scope base -attr msDS-Behavior-Version
Output: msDS-Behavior-Version 2
The attributes that indicates DFL and FFL: - Forest level setting
Name: msDS-Behavior-Version Path: CN=Partitions, CN=Configuration, DC=, DC=com
Value: 0 or not set=mixed level forest
1=Windows Server 2003 interim forest level 2=Windows Server 2003 forest level 3=Windows Server 2008 forest level
Name: msDS-Behavior-Version Path: DC=, DC=, DC=com (domain root) Value: 0 or not set=mixed level domain
1=Windows Server 2003 domain level 2=Windows Server 2003 domain level 3=Windows Server 2008 domain level
Name: ntMixedDomain
Path: DC=, DC=, DC=com (domain root)
Value: 0=Native level domain 1=Mixed level domain
I'm not sure about the role requirements of the user to run this, but you're not changing anything with it and it's all using DSQUERY (From the RSAT, free download from Microsoft). Comment if we need to look at that end of it.