Export (0) Print
Expand All

Step 2: Apply PSOs to Users and Global Security Groups

Updated: August 24, 2007

Applies To: Windows Server 2008, Windows Server 2008 R2

You can apply Password Settings objects (PSOs) to users or global security groups:

To apply a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Apply a Fine-Grained Password Policyl.

To apply a PSO to the user object or group object, you must have Write permissions on the PSO object.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, ensure that Advanced Features is checked.

  3. In the console tree, click Password Settings Container.

    Where?

    • Active Directory Users and Computers\domain node\System\Password Settings Container.

  4. In the details pane, right-click the PSO, and then click Properties.

  5. Click the Attribute Editor tab.

  6. Select the msDS-PsoAppliesTo attribute, and then click Edit.

    noteNote
    If you do not see msDS-PsoAppliesTo attribute in the Attributes list, click Filter, and then click Show attributes/Optional. Also, clear the Show only attributes that have values check box.

  7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.

    noteNote
    To obtain the full distinguished name of a user or a global security group, in the details pane, right-click the user or the global security group, and then click Properties. On the Attribute Editor tab, view the value of the Distinguished Name attribute in the Attributes list.

You can use the ldifde command to apply a PSO to multiple users or global security groups quickly.

LDAP Data Interchange Format (LDIF) is an Internet standard for a file format that you can use to perform batch operations against directories that conform to the Lightweight Directory Access Protocol (LDAP) standards. You can use LDIF to export and import data. LDIF performs batch operations such as add, create, and modify against AD DS. When you install the AD DS role, a utility program called LDIFDE is included to support batch operations that are based on the LDIF file format standard. For more information, see Using LDIFDE to import and export directory objects to Active Directory (http://go.microsoft.com/fwlink/?LinkId=87487).

To apply a PSO to the user object or group object, you must have Write permissions on the PSO object.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Specify what PSO you want to apply to which users or global security groups by copying the following sample code into a file, for example, apply-a-pso.ldf:

    dn: CN=Demo Policy,CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com
    changetype: modify
    add: msDS-PSOAppliesTo
    msDS-PSOAppliesTo: CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com
    msDS-PSOAppliesTo: CN=user5,CN=Users,DC=dc1,DC=contoso,DC=com
    -
    
    noteNote
    The hyphen in the last line of the code in the file is required.

  2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  3. Type the following command, and then press ENTER:

    ldifde –i –f apply-a-PSO.ldf
    

 

Parameter Description

ldifde

Specifies a utility program that supports batch operations that are based on the LDIF file standard.

-i

Specifies that Import Mode is turned on.

-f apply-a-pso.ldf

Specifies the name of the input file that you created.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft