Multiple PSOs To One User?

by [Published on 23 April 2009 / Last Updated on 31 Dec. 2008]

This article explains the conflict which arise when multiple PSOs are applied to a user.

In Windows Server 2008, you have ability to create multiple password policies to a user or security group. For security groups the members of the group will get the password policies but not the Security Group itself. When applying multiple password policies for a single user, AD doesn't give you warning message that only one PSO will be in effect. This article explains how AD handles the conflict in case of multiple PSOs applied to a user.

1. Checks the value of attribute:msDS-PasswordSettingsPrecendence, If value is lowest for this PSO, the password settings will be applied from this PSO.

2. If value of the above attribute is equal then the PSO settings with the smallest GUID is applied to the user.

 

Featured Links