Multiple PSOs To One User?

by [Published on 23 April 2009 / Last Updated on 31 Dec. 2008]

This article explains the conflict which arise when multiple PSOs are applied to a user.

In Windows Server 2008, you have ability to create multiple password policies to a user or security group. For security groups the members of the group will get the password policies but not the Security Group itself. When applying multiple password policies for a single user, AD doesn't give you warning message that only one PSO will be in effect. This article explains how AD handles the conflict in case of multiple PSOs applied to a user.

1. Checks the value of attribute:msDS-PasswordSettingsPrecendence, If value is lowest for this PSO, the password settings will be applied from this PSO.

2. If value of the above attribute is equal then the PSO settings with the smallest GUID is applied to the user.


The Author — Nirmal Sharma

Nirmal Sharma avatar

Nirmal Sharma is a MCSEx3, MCITP, and was awarded Microsoft MVP in Directory Services. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles for various online communities. Nirmal can also be found contributing to PowerShell based Dynamic Packs for ADHealthProf.ITDynamicPacks.Net solutions.

Latest Contributions

Featured Links