How to check AD DS domain/forest functional level from domain joined workstation?

Is it possible to define AD DS domain/forest functional levels from domain joined workstation? Preferably through CLI/PS and if possible w/o Domain Admin rights... How I can accomplish it?

Solution 1:

The following Powershell does not require admin or domain admin access, I've tested as a limited user on a domain-joined workstation with Powershell v2/v3. It does not require any third party tools or Powershell modules.

$dse = ([ADSI] "LDAP://RootDSE")

# Domain Controller Functional Level
$dse.domainControllerFunctionality

# Domain Functional Level
$dse.domainFunctionality

# Forest Functional Level
$dse.forestFunctionality

The values returned will represent a distinct functional level:

Value  Forest        Domain             Domain Controller
0      2000          2000 Mixed/Native  2000
1      2003 Interim  2003 Interim       N/A
2      2003          2003               2003
3      2008          2008               2008
4      2008 R2       2008 R2            2008 R2
5      2012          2012               2012
6      2012 R2       2012 R2            2012 R2
7      2016          2016               2016

References:

• [MS-ADTS] msDS-Behavior-Version: Forest Functional Level
• [MS-ADTS] msDS-Behavior-Version: Domain NC Functional Level
• [MS-ADTS] msDS-Behavior-Version: DC Functional Level

Solution 2:

Just a complementary solution to the accepted answer, as I ended up here more or less with the same need. The difference is one gets the level name decoded:

Import-Module ActiveDirectory
$ForestRoot = 'top.domain'

(get-adforest -identity $ForestRoot).ForestMode

(get-adforest -identity $ForestRoot).Domains |
ForEach-Object {Get-ADDomain -Identity $_ |
ft DNSRoot,DomainMode -AutoSize}