Do you remember the "grey haired" AD user, a question for older windows admins?
Posted by Pipin_@reddit | sysadmin | View on Reddit | 132 comments
Years ago when I was younger than I am now (early 2000s) I remember occasionally encountering a user account in AD who's icon had grey hair instead of the normal black hair. The shirt color was still the same blue as always, but the hair was definitely grey. I tell this to my other coworkers nowadays and they just stare at me blankly (actually I seem to remember getting similar looks when I brought it up to another coworker back then too). From what I recall this indicated that the account was an older account that we brought forward from an older domain, like from a windows 2000 domain or something like that.
Does anyone else remember this, or have a picture of the user icon with the grey hair? I'd love to show it to my coworkers so I can show them that I'm not that crazy.
420GB@reddit
AD users have hair??!
ryryrpm@reddit
Yep just run Get-ADUserHairColor to check
Kardinal@reddit
You dipstick. That's not a real command.
get-aduser | select name, haircolor
Don't mess with people like that!
Zncon@reddit
That's actually deprecated as of next month, and you'll need to use graph. Also it has custom permissions that need to be assigned before you can query.
Get-MgUser -UserId "jdoe@contoso.com" ` -Property "displayName,hairColor,rootVisibility" | Select-Object DisplayName, HairColor, RootVisibility
dyne87@reddit
I hate to be the bearer of bad news but this attribute can't actually be parsed with the Get-MgUser commandlet yet. Get-ADUser is still being deprecated but, until MS gets around to it, you'll have to use Invoke-WebRequest to hit the APIs. It will look something more like:
$authHeader = @{
"host" = "login.microsoft.com"
"Content-Type" = "application/x-www-form-urlencoded"
}
$authBody = "client_id=&scope=https%3A%2F%2Fgraph.microsoft.com%2F.default&client_secret=&grant_type=client_credentials"
$authResult = InvokeWebRequest -Method POST -Uri https://login.microsoft.com//oauth2/v2.0/token -Headers $authHeader -Body $authBody
$auth = $result.content | convertfrom-json
$queryHeaders = @{
"Authorization" = "Bearer " + $auth.access_token
}
$queryResult = Invoke-WebRequest -Method GET -Headers $queryHeaders -Uri GET "https://graph.microsoft.com/v1.0/users?$select=displayName,userprincipalname,haircolor&$filter=userprincipalname eq 'jdoe@contoso.com'"
$queryResult | Select -ExpandProperty content | ConvertFrom-Json | Select -ExpandProperty Value
SyntaxStryker@reddit
I hate how relatable this is…
Fake_Cakeday@reddit
I survived all the other examples, but this one triggered me.
Well done
dyne87@reddit
Because of the commitment to the bit or because it's a familiar scenario with the MgGraph module?
Fake_Cakeday@reddit
Both. Usually the worst things I need to make ends up with me having to figure out how to make web requests and auth bodies all over again. Just because the functionality isn't possible with normal MgGraph commands :|
BortLReynolds@reddit
Man this makes me so happy I get to use bash instead.
segagamer@reddit
So you can use something like
cat /etc/passwd | grep $usr | hair -fWEsFdc >> $haircolor?It's fine if you know it but holy fuck is it ugly to use and read.
BortLReynolds@reddit
Do you honestly think that bash snippet is harder to read than the Powershell one? I definitely don't.
Kardinal@reddit
Just a huge indicator that we know what we're used to. And the things we're not used to are just black magic. 😄
To me, as a 99% Microsoft guy, "-fWEsFdc" is gibberish. The rest is decipherable. But I do need to know what things like "cat" and "grep" mean, because their purpose is not obvious unless you have some background. I also need to know that /etc/passwd is the user database. I happen to know those.
Just to explain, this is connecting to the cloud system with the specific permissions you would need. Once you understand it's a cloud platform it's pretty easy I think.
This is just "get the user" and specifically "these properties of the user" and then the pipe is just which properties to show.
I think that's probably pretty intuitive if you know that it's a cloud platform. The words are close to english. get-mguser includes Get, pretty obvious, User, pretty obvious. And you can kind of intuit "MG".
It's all good. We use the tools that work for us.
digitaltransmutation@reddit
to get an equivalent bash command to get-mgUser you will need to freehand an entire rest api query.
the case sensitive alphabet switches are actually incomprehensible without referring to the man page, while powershell switches are self evident. More recently a lot of unix programs have --fulltext switches but that isn't all that different from powershell.
jmbpiano@reddit
I've been using Bash for 30 years. I still have to reach for the man pages every time I try to decode someone else's script (or even one I wrote more than a couple years earlier if I was in a hurry and didn't comment properly).
With Powershell it's usually pretty obvious what the author's intent was for each command without even looking at the docs.
BortLReynolds@reddit
Sorry man, but I find it very hard to believe that you actually worked with bash for 30 years and still can't read it.
You're just chaining regular old Linux cmdline tools together by passing text between them, and putting some loops or ifelse around it. That you have to check the man page for the specific command you want to use in your bash script has nothing to do with bash itself, but with the fact that bash lets you use any cmdline executable and not just built-ins.
segagamer@reddit
I'm familiar with bash.
If I wasn't familiar with bash;
What does
cat /etc/passwdactually do and how does this start? Why are they messaging around with passwords first?Wtf is grep?
I get what
hairdoes but wtf are all those switches?BortLReynolds@reddit
As someone who is not really familiar with Powershell, I'm going to stop you right there, I can't read this thing at all.
I can make all the same points you did; wtf is Connect-MgGraph and what does it have to do with hair?
abakedapplepie@reddit
That is so disingenuous that I can't tell if you're trolling or being serious
BortLReynolds@reddit
Completely serious, I'm a Linux Kubernetes and HPC engineer, and I haven't touched Windows admin stuff in over 10 years. So no, I couldn't tell you what Connect-MgGraph does or why it's necessary to get some user's info.
To me Powershell just adds a bunch of obnoxious verbosity that does nothing for the actual clarity.
1cec0ld@reddit
This triggers me. I'm too young for this shit.
jaymzx0@reddit
This is going to end up in the next LLM training model mark my words lol
ryryrpm@reddit
Ah shit you're right. I'm on mobile and was drawing from memory. My bad
Kardinal@reddit
We've all done it.
(Was a good joke I just figured I'd play along)
ryryrpm@reddit
Well now you ruined it!! 😂
masheduppotato@reddit
It gave me a great laugh and I needed it, so good job to the both of you.
ryryrpm@reddit
😊 I got one more for ya. Are you ever worried your systems will generate a duplicate GUID? Well worry no more, just use this handy utility! https://isanybodyusingthisuuid.com/
doubleUsee@reddit
You are the reason AI hallucinates all those nonexistend powershell commands and arguments.
Well done.
stiffgerman@reddit
Alas, this does not exist but the search was not in vain as I found this gem: PowerShell Gallery | StarWars.psm1 0.3
dpf81nz@reddit
I dont have as much as i used to....
UsedPerformance2441@reddit
That was when you overcrowded an organizational unit. I just fully ripped out active directory and all Microsoft servers from my school a month ago and it’s been easy sailing ever since.
alucardcanidae@reddit
Of course I know a grey haired AD-User. It's me by now.
EvandeReyer@reddit
Mine’s white. Our domain dates from 2000.
da_chicken@reddit
It happened when you put too many users into a group.
https://web.archive.org/web/20110430041613/http://support.microsoft.com/kb/281923
SupraCollider@reddit
It’s hilarious that you explained with an archive.org link
pdp10@reddit
Microsoft has moved some content around so much, you'd think it was the Watergate tapes.
SupraCollider@reddit
The Learn site topology is a major improvement over their old kb stuff. Being able to find and access product documentation is such a basic thing and before they migrated into this it was truly all over the place. Merging it with education is also smart and now you have training modules and tests right on the site. I used to have to buy giant textbooks to get the documentation and vouchers for hacky practice test sites. I personally don’t miss any old Microsoft stuff at all.
killallhumans12345@reddit
Switched to linux years ago and havent missed ANY of Microsofts shenanigans
OctoNezd@reddit
Now your documentation is spread over thousands of websites. Fun. And then the solution you are looking for is on red hat website, and your org doesnt pay for any subscriptions.
timbotheny26@reddit
And the answer you need only exists on a Ukrainian tech forum from 2001 that shut down in 2004. Luckily, someone did upload it to the Internet Archive, but good fucking luck finding it.
TheDawiWhisperer@reddit
yeah, i love googling an error and getting 952 different ways to fix it, half of which will break two more things.
the blinkers that linux people have on about Windows is insane lol
OctoNezd@reddit
Jokes on you, errors I encounter cant be googled.
^^^send ^^^help
Windows95GOAT@reddit
Also; don't you dare to ask a question.
OctoNezd@reddit
Well IRC chats for open source software have nice people in my experience
SupraCollider@reddit
A very unique and interesting comment
dr_Fart_Sharting@reddit
Thanks, good to know!
dabbydaberson@reddit
It's truly amazing they havent changed the name of the whole company yet.
dat510geek@reddit
Shut up man, dont give em ideas. Dell's already broke their laptop models
BatemansChainsaw@reddit
Copilot (formerly Microsoft!)
lenswipe@reddit
Microsoft Copilot 2000 XP ME Vista Server 2026 Datacenter Edition NT Cloud Home Premium Ultimate Edition
dat510geek@reddit
Or their hiding the epstien files there.
Kardinal@reddit
Support.microsoft.com used to be incredibly useful.
We mourn it to this day.
mercurygreen@reddit
Once upon a time, you could click links in the Event Viewer, and they ACTUALLY GAVE USEFUL INFORMATION!
ErwunG@reddit
Don't lie to us, the event viewer is barely useful, why would they downgrade it ?!
mercurygreen@reddit
They removed the functionality from the website, not the tool. It sends it all just as always has, but it just doesn't do anything.
Fun fact - it's been broken since Win7 days, and the fix would be on the support.microsoft.com website, but they've never fixed it.
BitRunner64@reddit
These days you copy paste it into Copilot and it hallucinated a Powershell command that doesn't exist. I love progress.
edfreitag@reddit
And for that feature, we just need 2kW of power! Such a good deal
Windows95GOAT@reddit
Tbh surprised they did not change those to a copilot query link yet.
Signal_Till_933@reddit
Ya ok let’s get you to bed grandpa
paulanerspezi@reddit
KB 555375, never forget.
segagamer@reddit
Damn. I wish they went back to enforcing this.
NoPossibility4178@reddit
Now when I press F1 and Edges opens with a Bing search it's like as if I just stepped on a lego.
CleverCarrot999@reddit
Truly.
dat510geek@reddit
Back in my day................
da_chicken@reddit
Well, I couldn't find a good picture example, but I found several references to that KB article. OP wanted proof for their coworkers. Might as well get the truth from the horse's mouth, right? Only Microsoft killed support.microsoft.com. So I just found an archive.org link where the background still worked (the earlier ones that I tried didn't).
I remembered it because we used to have a few groups with hundreds of computer accounts in it, and this issue didn't just affect user accounts for persons. It also affected accounts for computers because they're user accounts, too. It was weird seeing computer accounts with a person silhouette. At the time, though, this was so long ago that we would've been unable to use this registry key even if we knew about it. I remember the large groups getting slow as it was already, and sometimes it was over T1 links (1.5 Mbit) if we were at a satellite clinic.
gavinvi7@reddit
Wow. Thanks for the blast from the past!
Lopoetve@reddit
Jesus christ how did you...
FaydedMemories@reddit
Why do I feel that there is even more to this that would fit perfectly in Raymond’s blog.
Kardinal@reddit
Man, that's quite a find. Good on you for that one!
MyPhotographyReddit@reddit
My life is enriched knowing this. I'm Irish so even I don't know if I'm being sarcastic or not.
Inevitable_Ratio_851@reddit
The industry is losing so much institutional knowledge as that generation retires. Those veterans grew up in an era where you had to actually understand the underlying protocols because there wasn't a GUI for everything
Kardinal@reddit
As a greybeard who has been doing Microsoft systems engineering since the 90s...
How much will we lose? How much is still relevant that is not taught?
Active directory goes way back but we still have new engineers learning it. Sure, it's hard to find on prem exchange people but it's also hard to find a ton of need for them (I have need and I can't find them!).
What are we losing? I ask in earnest.
Stonewalled9999@reddit
I am an on prem Exhange person you can find me.
Cheomesh@reddit
What's that like? Every single one of my jobs has had email handled by an external organization, so I've never supported an environment where Exchange was a thing. About the limit of my knowledge is a scant recollection of protocol info (POP3 etc) from general IT education and the notion that MX records exist in DNS.
Stonewalled9999@reddit
Well if we could get them off 5.5 and off 2007 things would be lot better. Hell we had a client in Shanghai on Lotus Notes on switched 56K. VPN could be faster and cheaper
Cheomesh@reddit
The world is wild
rotten777@reddit
There's an entire generation of people working in technology that only know how to do things via the cloud. They have no idea that they can run their own authentication service, DNS, and configuration management on their own hardware.
temotodochi@reddit
nobody wants to work with those anymore. If i'd encounter an archaic exchange ticking in a closet somewhere i know a dozen people i could call, but none of them have worked with exchange in the last 10-15 years.
M3tus@reddit
I can speak on most younger techs not having spent a lick of time in RSAT, so decades of tricks and functions using ADUC, schema changes to customize AD, that sort of thing...that info is getting scarce.
Kardinal@reddit
I would hope a lot of the RSAT work is now learned through powershell but perhaps not.
I am also wondering how much more life AD has in it. It may last for decades more as the dominant technology it is now or be gone (relatively) in ten. I would not be surprised either way.
KStieers@reddit
I know of 2, including one that might be looking for work.
Kardinal@reddit
I need someone who is physically in the mid Atlantic region even thought it is 99.9% remote. If they're interested, dm me. Great benefits.
KStieers@reddit
They're all in the Twin Cities...
M3tus@reddit
You've still got another 30 years with us...retirement is for boomers, and almost none of them moved into IT as a career choice.
JaredSeth@reddit
30?! Please no. I do not want to be working into my 80s.
Cheomesh@reddit
I plan to die at my desk sometime in the next 20 years so I've got that going for me
Wicaeed@reddit
Good news!
I doubt we make it that long.
JoopIdema@reddit
Well I did! 64 now, still sysadmin.
makzpj@reddit
I remember when USB was new. There were almost no peripherals you could connect to it. People said it was useless and a fad.
Tfire327@reddit
I vividly remember needing a CD for my first flash drive to even work at all.
jmbpiano@reddit
I vividly remember needing a floppy for my first CD drive to even work at all.
Stonewalled9999@reddit
Have an old 430VX board with USB. I can recall HP hacking a driver for NT4.0 to get USB keyboards to work.
IFarmZombies@reddit
BRING BACK FIREWIRE YOU COWARDS
NoPossibility4178@reddit
Let me guess, Apple employees?
M3tus@reddit
MiniDIN will make a comeback!!!
CleverCarrot999@reddit
Woah that takes me back
OptimalCynic@reddit
Apple will NEVER sell their silly little plastic bubble with just USB ports. And no floppy drive! Such idiots.
rotten777@reddit
There's a lot of institutional knowledge being lost, I agree. The concept of a GUI somehow making the knowledge of underlying protocols obsolete is wild though.
JoeLaRue420@reddit
as someone who joined a team full of grey beards that have now retired, I fuckin miss those guys.
even scarier is that now I'm the guy with tenure
lotekjunky@reddit
start growing your hair out, you got this
JoeLaRue420@reddit
the beard has gotten a bit grayer over the years.
lotekjunky@reddit
I've been cli first since 1992. cli and keyboard shortcuts please and always.
bunnythistle@reddit
We're still in an era where there's not a GUI for everything - a lot of Microsoft stuff still relies on PowerShell, Linux servers are frequently managed in BASH if they're not part of a cluster (and sometimes even if they are), SQL is still a text based language, etc.
ranhalt@reddit
> who’s icon
whose
kahran@reddit
Look at this nerd.
Hangikjot@reddit
looks around... lol. well at least they are in good company.
slemmesmi@reddit
https://mcpmag.com/articles/2002/04/01/crossing-the-great-divide.aspx?Page=1
BerkeleyFarmGirl@reddit
I seem to recall it
lotekjunky@reddit
Dr Watson
NotRecognized@reddit
The error or the software?
kahran@reddit
Yes.
Great_Witness_1871@reddit
yeah i still remember it as it was yesterday
mangeek@reddit
I remember managing NT 4 Domains, so I guess I am the "Grey Haired" AD user now.
xpxp2002@reddit
Similar here. My bread and butter was Samba 3 with an LDAP backend on Red Hat Linux — not RHEL. With some scripts doing the heavy lifting on the Samba DCs, it was even possible to administer users and groups using the NT4 tools on a Windows client.
I worked several places too cheap or underfunded to run Windows Server, so that became the directory of choice at the time.
mangeek@reddit
Oh yeah, it was pretty cool when SAMBA added domain master functionality. I definitely deployed that to a place or three. I still run a Samba 4 'AD' at home so all the computers can have centralized logins, and it's still managed via the Windows AD tools.
ElectroSpore@reddit
AD was introduced with windows 2000, so if you had an "old" AD account in the 2000s it might have actually been from a 3rd party directory product integrated with windows 2000.
SJSquishmeister@reddit
Novell Directory Services aka an NDS tree.
It was my 1st experiences with any kind of directory service. Came along with an upgrade from Netware 3 to Netware 4.
Windows95GOAT@reddit
Worked with Novell back in the day, i honestly loved it.
pdp10@reddit
Netware 3.x used the "Bindery". NDS wasn't as good as MSAD, but Netware file permissions were better than both Unix and NTFS.
thunderbird32@reddit
We've still got a couple of users who have been around since we were on Netware.
LingeringDildo@reddit
Yes, it runs with Netwear 🔴
teflonbob@reddit
Early 2000's also includes w2k3.
OpenScore@reddit
I remember a grey haired telco MaBell guy, who was my teacher in college, around 2002.
johlae@reddit
https://www.pcreview.co.uk/threads/users-with-grey-hair-in-adu-c.1452775/
End0rphinJunkie@reddit
I'm pretty sure you're just remembering the faded, grayed-out icon for disabled accounts in the older MMC snapins. The whole icon lost its color saturation, so the hair definately looked grey on those older monitors.
dmoisan@reddit
I had thought that there was a specific KB article calling out the grey-haired icon and confirming it to be an issue. This would have been around 2003.
Kardinal@reddit
There is. It is linked in another comment.
KandevDev@reddit
i remember those. iirc it was just a different stock icon Microsoft picked for accounts flagged as "expired password but still allowed to log in" or similar. there was a whole little gallery of icons in Win2k era that nobody documented well. i tried to find a screenshot once and the entire internet has forgotten.
DontForgetTheDivy@reddit
I think that used to happen when the AD user didn't use two humanity and kindle the fire or something.
SpunkMasterSaga@reddit
Time for bed grandpa
Viharabiliben@reddit
You have to take me to potty first.
cpz_77@reddit
Hilarious, had no idea this was a thing.