Upgrade your Internet Experience
Microsoft.com
Welcome Sign in
Windows Server TechCenter
Click to Rate and Give Feedback

  Switch on low bandwidth view
Step 3: Manage a PSO

Updated: August 24, 2007

Managing Password Settings objects (PSOs) includes the following tasks:

You must have Write permissions on the PSO object to perform any of the tasks above.

Deleting a PSO

You can delete a PSO:

Deleting a PSO using ADSI Edit

Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an Active Directory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects and attributes.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

To delete a PSO using ADSI Edit

  1. Click Start, click Run, type adsiedit.msc, and then click OK.

  2. Double-click the domain that contains the PSO that you want to delete.

  3. Double-click DC=<domain_name>.

  4. Double-click CN=System.

  5. Double-click CN=Password Settings.

    noteNote
    All the PSO objects that have been created in the selected domain appear.

  6. Right-click the PSO that you want to delete, and then click Delete.

    noteNote
    When the PSO is deleted, the password policy it represented will no longer be in effect for the members of the global security group that it was applied to.

Deleting a PSO using ldifde

You can use ldifde as a scriptable alternative for deleting PSOs.

LDAP Data Interchange Format (LDIF) is a proposed Internet standard for a file format that you can use for performing batch operations against directories that conform to Lightweight Directory Access Protocol (LDAP) standards. You can use LDIF to export and import data. LDIF performs batch operations such as add, create, and modify against AD DS. When you install the AD DS role, a utility program called LDIFDE is included to support batch operations that are based on the LDIF file format standard. For more information, see Using LDIFDE to import and export directory objects to Active Directory (http://go.microsoft.com/fwlink/?LinkId=87487).

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at http://go.microsoft.com/fwlink/?LinkId=83477.

To delete a PSO using ldifde

  1. Specify which PSO you want to delete by saving the following sample code in a file, for example, delete-a-pso.ldf:

    dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com
changetype: delete

  2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  3. Type the following command, and then press ENTER: 

    ldifde –i –f delete-a-pso.ldf

 

Parameter Description

ldifde

Specifies a utility program that supports batch operations that are based on the LDIF file standard.

-i

Specifies that Import Mode is turned on.

-f delete-a-pso.ldf

Specifies the name of the input file that you created.

Viewing and modifying PSO settings

To view or modify PSO settings using the Windows interface

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, ensure that Advanced Features is checked.

  3. In the console tree, click Password Settings Container.

    Where?

    • Active Directory Users and Computers\domain node\System\Password Settings Container.

  4. In the details pane, right-click the PSO, and then click Properties.

  5. Click the Attribute Editor tab.

  6. Select the attribute whose setting you want to view or edit, and then click View (for editable values) or Edit (for read-only values).

    noteNote
    If you do not see attributes whose settings you want to view or edit, click Filter to customize the list of attributes that is shown on the Attribute Editor tab.
    noteNote
    To view or edit the msDS-PSOAppliesTo attribute, click Filter, and then click Show attributes/Optional. Clear the Show only attributes that have values check box.

Modifying PSO precedence

To modify PSO precedence using the Windows interface

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, ensure that Advanced Features is checked.

  3. In the console tree, click Password Settings Container.

    Where?

    • Active Directory Users and Computers\domain node\System\Password Settings Container

  4. In the details pane, right-click the PSO, and then click Properties.

  5. Click the Attribute Editor tab.

  6. Select the msDS-PasswordSettingsPrecedence attribute, and then click Edit.

  7. In the IntegerAttribute Editor dialog box, enter the new value for the PSO Precedence, and then click OK.

Tags What's this?: Add a tag
Community Content   What is Community Content?
Add new content RSS  Annotations
© 2009 Microsoft Corporation. All rights reserved. Terms of Use | Trademarks | Privacy Statement
Page view tracker