Export (0) Print
Expand All
2 out of 3 rated this helpful - Rate this topic

Step 3: Manage a PSO

Updated: August 24, 2007

Applies To: Windows Server 2008, Windows Server 2008 R2

Managing Password Settings objects (PSOs) includes the following tasks:

You must have Write permissions on the PSO object to perform any of the tasks above.

You can delete a PSO:

To delete a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Delete a Fine-Grained Password Policy.

Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an Active Directory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects and attributes.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Click Start, click Run, type adsiedit.msc, and then click OK.

  2. Double-click the domain that contains the PSO that you want to delete.

  3. Double-click DC=<domain_name>.

  4. Double-click CN=System.

  5. Double-click CN=Password Settings.

    noteNote
    All the PSO objects that have been created in the selected domain appear.

  6. Right-click the PSO that you want to delete, and then click Delete.

    noteNote
    When the PSO is deleted, the password policy it represented will no longer be in effect for the members of the global security group that it was applied to.

You can use ldifde as a scriptable alternative for deleting PSOs.

LDAP Data Interchange Format (LDIF) is a proposed Internet standard for a file format that you can use for performing batch operations against directories that conform to Lightweight Directory Access Protocol (LDAP) standards. You can use LDIF to export and import data. LDIF performs batch operations such as add, create, and modify against AD DS. When you install the AD DS role, a utility program called LDIFDE is included to support batch operations that are based on the LDIF file format standard. For more information, see Using LDIFDE to import and export directory objects to Active Directory (http://go.microsoft.com/fwlink/?LinkId=87487).

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

  1. Specify which PSO you want to delete by saving the following sample code in a file, for example, delete-a-pso.ldf:

    dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com
    changetype: delete
    
  2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  3. Type the following command, and then press ENTER:

    ldifde –i –f delete-a-pso.ldf 
    

 

Parameter Description

ldifde

Specifies a utility program that supports batch operations that are based on the LDIF file standard.

-i

Specifies that Import Mode is turned on.

-f delete-a-pso.ldf

Specifies the name of the input file that you created.

To view the details of a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Retrieve Details of a Fine-Grained Password Policy.

To modify a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Modify a Fine-Grained Password Policy.

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, ensure that Advanced Features is checked.

  3. In the console tree, click Password Settings Container.

    Where?

    • Active Directory Users and Computers\domain node\System\Password Settings Container.

  4. In the details pane, right-click the PSO, and then click Properties.

  5. Click the Attribute Editor tab.

  6. Select the attribute whose setting you want to view or edit, and then click View (for editable values) or Edit (for read-only values).

    noteNote
    If you do not see attributes whose settings you want to view or edit, click Filter to customize the list of attributes that is shown on the Attribute Editor tab.

    noteNote
    To view or edit the msDS-PSOAppliesTo attribute, click Filter, and then click Show attributes/Optional. Clear the Show only attributes that have values check box.

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, ensure that Advanced Features is checked.

  3. In the console tree, click Password Settings Container.

    Where?

    • Active Directory Users and Computers\domain node\System\Password Settings Container

  4. In the details pane, right-click the PSO, and then click Properties.

  5. Click the Attribute Editor tab.

  6. Select the msDS-PasswordSettingsPrecedence attribute, and then click Edit.

  7. In the IntegerAttribute Editor dialog box, enter the new value for the PSO Precedence, and then click OK.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback

Community Additions

ADD
Show:
© 2014 Microsoft. All rights reserved.