Create an Active Directory Fine Grained Password and Lockout Policy Passwords Settings Object (FGP & PSO)
Original publish date 2/16/2012
Revised 10/20/2014
Prelude
Ace here, again! I’ve updated this blog to reflect the fact that it’s much easier to create a PSO in Windows 2012, as well as a little background on PSOs.
Scope
Password policies are normally set in the Default Domain Policy. If they are created anywhere else, they won’t work. It’s just a fact of how AD and GPO account settings work. They are a domain specific settings.
Therefore, I thought I would put this blog together to explain them along with a step by step with lots of screenshots, on how to create a Fine Grained Password & Lockout Policy PSO (Password Settings Object) that you can apply to a group of users that will override the domain level Password and Lockout Settings.
And this is for Windows 2008 R2, which is a bit more tedious to create. If you are searching for how to create a PSO in Windows 2012 or Windows 2012 R2, the following link will help:
How to use Fine-Grained Passwords in Windows Server 2012
http://blogs.technet.com/b/uktechnet/archive/2012/08/28/guest-post-how-to-use-fine-grained-passwords-in-windows-server-2012.aspx
*
PSO and FGPP Guidelines
You can create one or more PSOs in your domain. Each PSO contains a complete set of password and lockout policy settings. A PSO is applied by linking the PSO to one or more global security groups or users. Actually, by linking a PSO to a user or a re modifying an attribute called msDSPSOApplied, which is empty by default. This approach now treats password and account lockout settings not as domain-wide requirements, but as attributes to a specific user or a group. For example, to configure a strict password policy for administrative accounts, create a global security group, add the service user accounts as members, and link a PSO to the group. Applying fine-grained password policies to a group in this manner is more manageable than applying the policies to each individual user account. If you create a new service account, you simply add it to the group, and the account becomes managed by the PSO.
Precedence:
A PSO can be linked to more than one group or user, an individual group or user can have more than one PSO linked to it, and a user can belong to multiple groups. So, which fine-grained password and lockout policy settings apply to a user? One and only one PSO determines the password and lockout settings for a s precedence.
The precedence value is any number greater than 0, where the number 1 indicates the highest precedence. If multiple PSOs apply to a user, the PSO with the highest precedence takes effect. The rules that determine precedence are as follows:
• If multiple PSOs apply to groups to which the user belongs, the PSO with the highest precedence wins.
• If one or more PSOs are linked directly to the user, PSOs linked to groups are ignored, regardless of
their precedence. The user-linked PSO with the highest precedence wins.
• If one or more PSOs have the same precedence value, Active Directory must choose. It picks the PSO with the lowest globally unique identifier (GUID). GUIDs are like serial numbers for Active Directory objects—no two objects have the same GUID. GUIDs have no particular meaning—they are just identifiers—so picking the PSO with the lowest GUID is, in effect, an arbitrary decision. You should configure PSOs with unique, specific precedence values so that you avoid this scenario.
These rules determine the resultant PSO. Active Directory exposes the resultant PSO in a user object attribute, msDS-ResultantPSO, so you can readily identify the PSO that will affect a user. PSOs contain all password and lockout settings, so there is no inheritance or merging of settings. The resultant PSO is the authoritative PSO.
To view the msDS-ResultantPSO attribute of a user:
1. Ensure that Advanced Features is enabled on the View menu.
2. Open the properties of the user account
3. Click the Attribute Editor tab.
4. Click Filter and ensure that Constructed is selected.
5. Locate the msDS-ResultantPSO attribute.
PSOs, OUs, and Shadow Groups:
PSOs can be linked to global security groups or users. PSOs cannot be linked to organizational units (OUs). If you want to apply password and lockout policies to users in an OU, you must create a global its membership shadows, or mimics, the membership of an OU.
Note: There is no graphical tool in Windows Server 2008 to create shadow groups.
However, you can create and manage them by using a very simple script that will run
periodically. This script should enumerate user objects in the desired OU and put them in a group.
*
Creating a PSO Step by Step
.
.
%20-%20click%20OK.jpg?psid=1)
.
.
.
.
.
.
.
.
.
..jpg?psid=1)
.
.jpg?psid=1)
.
%20will%20result%20in%20account%20lockout..jpg?psid=1)
.
%20within%20one%20hour%20will%20result%20in%20account%20lockout..jpg?psid=1)
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
=================================================================
Summary
I hope this helps in your endeavor.
Ace Fekay
MVP, MCT, MCSE 2012, MCITP EA & MCTS Windows 2008/R2, Exchange 2013, 2010 EA & 2007, MCSE & MCSA 2003/2000, MCSA Messaging 2003
Microsoft Certified Trainer
Microsoft MVP – Directory Services
Complete List of Technical Blogs: http://www.delawarecountycomputerconsulting.com/technicalblogs.php
This posting is provided AS-IS with no warranties or guarantees and confers no rights.