0/1 Lessons

Course Introduction

• 2min

0 / 1 lessons complete

Introduction to Group Policy Management

• 1hr 24min

0 / 6 lessons complete

Manage Your Workstations

• 1hr 46min

0 / 7 lessons complete

Securing Your Domain

• 1hr 1min

0 / 5 lessons complete

Group Policy Troubleshooting

• 53min

0 / 5 lessons complete

Course Conclusion

• 1min

0 / 1 lessons complete

Deploying Fine Grained Password Policies (PSOs)


Q&A (0)

Notes (0)

Resources (0)

Saving Progress...


There are no resources for this lesson.

Notes can be saved and accessed anywhere in the course. They also double as bookmarks so you can quickly review important lesson material.

Create note

In this lecture, I am going to be showing you how to create a PSO or Password Settings Object. The purpose is to allow you to set a password policy on a per-user or per security user group basis.Open Server Manager > Tools > Active Directory Users and Computers. Expand instructorpaul.com domain and instructorpaul OU. Right-click on Domain Groups and choose New > Group from the context menu.

We are naming this group to something that gives us an indication that is related to a password policy setting. We are naming it 7 Day Password Age for our exercise. It is a Global Group and a Security Group. Click OK to create it.

Double click the group we just created and add the user paul.hill as a member.

Click the Members tab and click the Add button.

Search for paul.hill and click the Check Names button to resolve the name and click OK.

Click the Apply and OK buttons.

Essentially what we have done is create a new group and add a user to it. The Security Group has a name that’s useful for letting us know that the password age is only 7 days, but it really doesn’t do anything to that effect.

So the way we create a PSO is NOT inside Active Directory and is NOT inside Group Policy. The way you do this is with the ADSI Edit.Open Server Manager > Tools > ADSI Edit. Under ADSI Edit right-click ADSI Edit and choose Connect to...

Under the Connections Settings window leave all the options as default and click on OK.

Click to expand Default naming context > DC=instructorpaul,DC=com > CN=System

Under System, we are looking for CN=Password Settings Container. Right-click on the right empty pane and choose from the context menu New > Object…

A Create Object window will pop up. The only class that we have is a MsDS-PasswordSettings that is selected. This is the PSO Object we are looking for. Click Next to continue.

Now we need to create a name for the PSO. Type 7DayPasswordAge in the value section and click on the Next button.

For the Password Precedence Settings value type the number 1. Click Next to continue.

TIP: The PSO with the lowest number value, the one closest to 1, will take precedence over other PSOs.

Just like with the Group Policy Objects we see if we want to use Reversible Encryption and we will type the word FALSE in uppercase and click Next.

For Password History, we type the number 24 and click Next.

For Password Complexity, we are going to type TRUE in uppercase and click Next.

In the Minimum Password Length for user accounts, we type 14 and click Next.

Now we have the Minimum Password Age for user accounts we type 00:00:00:00. This is the format that represents seconds, minutes, hours, and days. Click Next.

In the Maximum Password Age for user accounts, we type 07:00:00:00. That represents 7 days. Click Next to continue.

The Lockout threshold for lockout of user accounts represents how many times a user can type in a bad password before their account gets locked out. Type 3 and click Next.

The Observation Window for lockout of user accounts is going to be 15 minutes. We are typing it in the format 00:00:15:00 and click Next.

In the Lockout duration for locked-out user accounts, we type it in the format 00:00:15:00 and we click Next.

Server Academy Members Only

Sorry, this lesson is only available to Server Academy Full Access members. Become a Full-Access Member now and you’ll get instant access to all of our courses.

0 0 votes
Lesson Rating
Notify of
profile avatar
Newest Most Voted
Inline Feedbacks
View all comments

profile avatar
1 year ago

I run this command on my own lab but I didn’t get the ExpiryDate.
I am still wondering the why reason I cannot display the Expirydate.

profile avatar
Ricardo P(@ricardop)
Reply to  AndreServille1
1 year ago

Hi profile avatar André Serville

Check that the password never expires checkbox is unchecked. That is the only thing that comes to mind and happened to me in the lab.


profile avatar
1 year ago

@ricardo, you are right, my user’s password was set to « password never expire »
When i uncheck that and I run the command, the expirydate was displayed. No need to configure thé expiration date at thé bottin of the wizard as thé user is member of PSO group