Step 2: Apply PSOs to Users and Global Security Groups

Applies To: Windows Server 2008, Windows Server 2008 R2

Applying PSOs

You can apply Password Settings objects (PSOs) to users or global security groups:

  • Applying a PSO using the Active Directory module for Windows PowerShell

  • Applying PSOs to users or global security groups using the Windows interface

  • Applying PSOs to users or global security groups using ldifde

Applying a PSO using the Active Directory module for Windows PowerShell

To apply a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Apply a Fine-Grained Password Policyl.

Applying PSOs to users or global security groups using the Windows interface

To apply a PSO to the user object or group object, you must have Write permissions on the PSO object.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To apply PSOs to users or global security groups using the Windows interface

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, ensure that Advanced Features is checked.

  3. In the console tree, click Password Settings Container.

    Where?

    • Active Directory Users and Computers\domain node\System\Password Settings Container.
  4. In the details pane, right-click the PSO, and then click Properties.

  5. Click the Attribute Editor tab.

  6. Select the msDS-PsoAppliesTo attribute, and then click Edit.

Note

If you do not see msDS-PsoAppliesTo attribute in the Attributes list, click Filter, and then click Show attributes/Optional. Also, clear the Show only attributes that have values check box.

  1. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.

Note

To obtain the full distinguished name of a user or a global security group, in the details pane, right-click the user or the global security group, and then click Properties. On the Attribute Editor tab, view the value of the Distinguished Name attribute in the Attributes list.

Applying PSOs to users or global security groups using ldifde

You can use the ldifde command to apply a PSO to multiple users or global security groups quickly.

LDAP Data Interchange Format (LDIF) is an Internet standard for a file format that you can use to perform batch operations against directories that conform to the Lightweight Directory Access Protocol (LDAP) standards. You can use LDIF to export and import data. LDIF performs batch operations such as add, create, and modify against AD DS. When you install the AD DS role, a utility program called LDIFDE is included to support batch operations that are based on the LDIF file format standard. For more information, see Using LDIFDE to import and export directory objects to Active Directory (https://go.microsoft.com/fwlink/?LinkId=87487).

To apply a PSO to the user object or group object, you must have Write permissions on the PSO object.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To apply PSOs to users or global security groups using ldifde

  1. Specify what PSO you want to apply to which users or global security groups by copying the following sample code into a file, for example, apply-a-pso.ldf:

    dn: CN=Demo Policy,CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com
    changetype: modify
    add: msDS-PSOAppliesTo
    msDS-PSOAppliesTo: CN=user1,CN=Users,DC=dc1,DC=contoso,DC=com
    msDS-PSOAppliesTo: CN=user5,CN=Users,DC=dc1,DC=contoso,DC=com
    -
    

Note

The hyphen in the last line of the code in the file is required.

  1. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type the following command, and then press ENTER:

    ldifde –i –f apply-a-PSO.ldf
    
Parameter Description

ldifde

Specifies a utility program that supports batch operations that are based on the LDIF file standard.

-i

Specifies that Import Mode is turned on.

-f apply-a-pso.ldf

Specifies the name of the input file that you created.