Step 4: View a Resultant PSO for a User or a Global Security Group

Applies To: Windows Server 2008, Windows Server 2008 R2

You can view the resultant Password Settings object (PSO) for a user object:

  • Viewing the resultant PSO for users using the Active Directory module for Windows PowerShell

  • Viewing the resultant PSO for users using the Windows interface

  • Viewing the resultant PSO for users from the command line using dsget

Viewing the resultant PSO for users using the Active Directory module for Windows PowerShell

To view the resultant PSO (fine-grained password policy) for users using the Active Directory module for Windows PowerShell see, Get Resultant Password Policy of a User.

Viewing the resultant PSO for users using the Windows interface

To view the resultant PSO for a user using Windows interface

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, ensure that Advanced Features is checked.

  3. In the console tree, click Users.

    Where?

    • Active Directory Users and Computers\domain node\Users
  4. In the details pane, right-click the user account for which you want to view the resultant PSO, and then click Properties.

  5. Click the Attribute Editor tab, and then click Filter.

  6. Ensure that the Show attributes/Optional check box is selected.

  7. Ensure that the Show read-only attributes/Constructed check box is selected.

  8. Locate the value of the msDS-ResultantPSO attribute in the Attributes list.

Note

If the value of the msDS-ResultantPSO attribute is Null, the Default Domain Policy is applied to the selected user account.

Viewing the resultant PSO for users from the command line using dsget

To view the resultant PSO for a user from the command line using dsget

  1. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  2. Type the following command, and then press ENTER:

    dsget user <User-DN> -effectivepso
    

    Example: dsget user "CN=u1,CN=Users,DC=corp,DC=contoso,DC=com" -effectivepso

Note

If the PSO name is not returned by the dsget command, the Default Domain Policy is applied to the specified user account.

Parameter Description

dsget user

Displays various properties of a user in the directory.

<User-DN>

Specifies full distinguished name of the user object for which you want to view the resultant PSO.

-effectivepso

Specifies the resultant PSO.