Admin Tips
- Windows Server 2008/2003/2000/XP/NT Administrator Knowledge Base
  - Windows Server 2008
    - Admin Tips
      - Active Directory
        Multiple PSOs To One User?

Section(s): Active Directory
Published on Apr 23, 2009.
Last Modified on Dec 31, 2008.
Last Modified by Nirmal Sharma.
Rating: Not Rated

This article explains the conflict which arise when multiple PSOs are applied to a user.

In Windows Server 2008, you have ability to create multiple password policies to a user or security group. For security groups the members of the group will get the password policies but not the Security Group itself. When applying multiple password policies for a single user, AD doesn't give you warning message that only one PSO will be in effect. This article explains how AD handles the conflict in case of multiple PSOs applied to a user.

1. Checks the value of attribute:msDS-PasswordSettingsPrecendence, If value is lowest for this PSO, the password settings will be applied from this PSO.

2. If value of the above attribute is equal then the PSO settings with the smallest GUID is applied to the user.

About Nirmal Sharma

Nirmal is a Microsoft MVP in Directory Services and working as a Technical Architect/Consultant. He has been involved in Microsoft Technologies since 1994 and followed the progression of Microsoft Operating Systems and software. He is specialized in Directory Services, Microsoft Clustering, SQL, MOM, Exchange and Citrix. In his spare time, he likes to help others and write "internal" technical articles, white papers and tips on various Microsoft technologies. You can contact him at nirmal_sharma@mvps.org.