0/1 Lessons

Course Introduction

• 2min

0 / 1 lessons complete

Introduction to Group Policy Management

• 1hr 24min

0 / 6 lessons complete

Manage Your Workstations

• 1hr 46min

0 / 7 lessons complete

Securing Your Domain

• 1hr 1min

0 / 5 lessons complete

Group Policy Troubleshooting

• 53min

0 / 5 lessons complete

Course Conclusion

• 1min

0 / 1 lessons complete

Deploying Fine Grained Password Policies (PSOs)

Saving Progress...

In this lecture, I am going to be showing you how to create a PSO or Password Settings Object. The purpose is to allow you to set a password policy on a per-user or per security user group basis.Open Server Manager > Tools > Active Directory Users and Computers. Expand instructorpaul.com domain and instructorpaul OU. Right-click on Domain Groups and choose New > Group from the context menu.

We are naming this group to something that gives us an indication that is related to a password policy setting. We are naming it 7 Day Password Age for our exercise. It is a Global Group and a Security Group. Click OK to create it.

Double click the group we just created and add the user paul.hill as a member.

Click the Members tab and click the Add button.

Search for paul.hill and click the Check Names button to resolve the name and click OK.

Click the Apply and OK buttons.

Essentially what we have done is create a new group and add a user to it. The Security Group has a name that’s useful for letting us know that the password age is only 7 days, but it really doesn’t do anything to that effect.

So the way we create a PSO is NOT inside Active Directory and is NOT inside Group Policy. The way you do this is with the ADSI Edit.Open Server Manager > Tools > ADSI Edit. Under ADSI Edit right-click ADSI Edit and choose Connect to...

Under the Connections Settings window leave all the options as default and click on OK.

Click to expand Default naming context > DC=instructorpaul,DC=com > CN=System

Under System, we are looking for CN=Password Settings Container. Right-click on the right empty pane and choose from the context menu New > Object…

A Create Object window will pop up. The only class that we have is a MsDS-PasswordSettings that is selected. This is the PSO Object we are looking for. Click Next to continue.

Now we need to create a name for the PSO. Type 7DayPasswordAge in the value section and click on the Next button.

For the Password Precedence Settings value type the number 1. Click Next to continue.

TIP: The PSO with the lowest number value, the one closest to 1, will take precedence over other PSOs.

Just like with the Group Policy Objects we see if we want to use Reversible Encryption and we will type the word FALSE in uppercase and click Next.

For Password History, we type the number 24 and click Next.

For Password Complexity, we are going to type TRUE in uppercase and click Next.

In the Minimum Password Length for user accounts, we type 14 and click Next.

Now we have the Minimum Password Age for user accounts we type 00:00:00:00. This is the format that represents seconds, minutes, hours, and days. Click Next.

In the Maximum Password Age for user accounts, we type 07:00:00:00. That represents 7 days. Click Next to continue.

The Lockout threshold for lockout of user accounts represents how many times a user can type in a bad password before their account gets locked out. Type 3 and click Next.

The Observation Window for lockout of user accounts is going to be 15 minutes. We are typing it in the format 00:00:15:00 and click Next.

In the Lockout duration for locked-out user accounts, we type it in the format 00:00:15:00 and we click Next.

Server Academy Members Only

Want to access this lesson? Just sign up for a free Server Academy account and you'll be on your way. Already have an account? Click the Sign Up Free button to get started..

0 0 votes
Lesson Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments
profile avatar
Points: 1844
2 months ago

I run this command on my own lab but I didn’t get the ExpiryDate.
I am still wondering the why reason I cannot display the Expirydate.

profile avatar
Ricardo P(@ricardop)
Power Student
Points: 40197
Reply to  AndreServille1
2 months ago

Hi profile avatar André Serville

Check that the password never expires checkbox is unchecked. That is the only thing that comes to mind and happened to me in the lab.


profile avatar
Points: 1844
2 months ago

@ricardo, you are right, my user’s password was set to « password never expire »
When i uncheck that and I run the command, the expirydate was displayed. No need to configure thé expiration date at thé bottin of the wizard as thé user is member of PSO group