AD Password Settings Objects (PSOs)

Password Settings Objects (PSOs) other wise know as  fine-grained password policies can be used to set different restrictions for password and account lockout policies to different sets of users in a domain.

To create a PSO

  • Open Active Directory Administrative Centre
  • Double click on the Domain, then system and then Password Settings Container.
  • Click on New > Password Settings
  • Enter in specific settings for the password policy and select the user or group it applies to

If there is more then one password policy and they apply to a user, then a password policy with the lowest precedence applies. In the below example, A Hill user password policy has a lower precedence number thus would apply to the user even if he is in the HQ users.

 

 

PSOs can also be configured and applied by using the ADFineGrainedPasswordPolicy and
ADFineGrainedPasswordPolicySubject sets of cmdlets.

For example:

New-ADFineGrainedPasswordPolicy
-Name “Domain Admins Policy”
-MinPasswordLength 10
-Precedence 20
-LockoutThreshold 5

Get-ADFineGrainedPasswordPolicy  – show the policies

 

Resultant password settings

Powershell can be used to see the password settings

Get-ADUser -Identity “Charlie” | Get-ADUserResultantPasswordPolicy

Leave a Reply

Your email address will not be published. Required fields are marked *