Step 4: View a Resultant PSO for a User or a Global Security Group

Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

On the View menu, ensure that Advanced Features is checked.

In the console tree, click Users.

Where?

• Active Directory Users and Computers\domain node\Users
  
  

In the details pane, right-click the user account for which you want to view the resultant PSO, and then click Properties.

Click the Attribute Editor tab, and then click Filter.

Ensure that the Show attributes/Optional check box is selected.

Ensure that the Show read-only attributes/Constructed check box is selected.

Locate the value of the msDS-ResultantPSO attribute in the Attributes list.

Note
If the value of the msDS-ResultantPSO attribute is Null, the Default Domain Policy is applied to the selected user account.

Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.

Type the following command, and then press ENTER:

dsget user <User-DN> -effectivepso

Example: dsget user "CN=u1,CN=Users,DC=corp,DC=contoso,DC=com" -effectivepso

Note
If the PSO name is not returned by the dsget command, the Default Domain Policy is applied to the specified user account.