Multiple PSOs To One User?

by [Published on 23 April 2009 / Last Updated on 31 Dec. 2008]

This article explains the conflict which arise when multiple PSOs are applied to a user.

In Windows Server 2008, you have ability to create multiple password policies to a user or security group. For security groups the members of the group will get the password policies but not the Security Group itself. When applying multiple password policies for a single user, AD doesn't give you warning message that only one PSO will be in effect. This article explains how AD handles the conflict in case of multiple PSOs applied to a user.

1. Checks the value of attribute:msDS-PasswordSettingsPrecendence, If value is lowest for this PSO, the password settings will be applied from this PSO.

2. If value of the above attribute is equal then the PSO settings with the smallest GUID is applied to the user.


See Also

The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to PowerShell-based Dynamic Packs for www.ITDynamicPacks.Net solutions.

Featured Links