ROSP and FGPP

by Mitch Tulloch [Published on 26 Sept. 2012 / Last Updated on 26 Sept. 2012]

A tip on how to view the Resultant Set Of Policy for Fine-Grained Password Policies.

Fine-Grained Password Policies (FGPP) were introduced in Windows Server 2008 as a a way to define different password and account lockout policies for different sets of users in a domain.  But FGPP isn't defined in a Group Policy Object (GPO) so if you have FGPP implemented in your environment then you can't view it's effect by calculating the Resultant Set Of Policy (RSOP) for a user account.

However, you can try using one of the following methods to view the effect of FGPP on a user account:

By using the LDIFDE command-line utility as follows:

Ldifde /d/l msds-resultantPSO /f con /p base /s

By using the Dsget command-line utility as follows:

dsget user-effectivepso

Mitch Tulloch is a eight-time recipient of the Microsoft Most Valuable Professional (MVP) award and widely recognized expert on Windows administration, deployment and virtualization. For more tips by Mitch you can follow him on Twitter or friend him on Facebook.

The Author — Mitch Tulloch

Mitch Tulloch is a widely recognized expert on Windows administration, networking, and security. He has been repeatedly awarded Most Valuable Professional (MVP) status by Microsoft for his outstanding contributions in supporting users who deploy and use Microsoft platforms, products and solutions. Mitch has published over two hundred articles on different IT websites and magazines, and he has written or contributed to almost two dozen books and is lead author for the Windows 7 Resource Kit from Microsoft Press. For more information, see www.mtit.com .

Latest Contributions

Featured Links