none
Fine Grained Password Policy Applied to Group but Not to the Users

    Question

  • Hi there

    I have a domain controller Server 2008 R2, with functional level 2008 and forest level 2003.  I created a fine grained pw policy and have applied to global security groups.  In the attributes of the global security groups and the users, i can see the msDS-PSOapplied showing the FGPP name, but the msDS-ResultantPSO are <not set>.  Can anyone shed me some lights on why it is not working as expected?

    BTW I have the FGPP msDS-PasswordSettingsPrecedence to the value of 1.

    Thanks

    JC

    Saturday, August 27, 2016 5:11 PM

Answers

  • Hi JC,

    Thanks for your post.

    Based on my experience, if the value of the msDS-ResultantPSO attribute is Null, the Default Domain Policy is applied to the selected user account.

    To check if the PSO has been applied to use or security group, please check the article below:

    Step 4: View a Resultant PSO for a User or a Global Security Group

    https://technet.microsoft.com/en-us/library/cc770848(WS.10).aspx

    In addition, how did you configure FGPP?

    Here is an article below about how to configure FGPP may be helpful to you.

    Step 1: Create a PSO

    https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 30, 2016 6:39 AM
    Moderator

All replies

  • A FGPP does not apply to any user with any of the following settings:

    • Reverisble password encryption required
    • Password not required
    • Password does not expire

    Does this explain what you see?


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Saturday, August 27, 2016 5:50 PM
  • Hi JC,

    Thanks for your post.

    Based on my experience, if the value of the msDS-ResultantPSO attribute is Null, the Default Domain Policy is applied to the selected user account.

    To check if the PSO has been applied to use or security group, please check the article below:

    Step 4: View a Resultant PSO for a User or a Global Security Group

    https://technet.microsoft.com/en-us/library/cc770848(WS.10).aspx

    In addition, how did you configure FGPP?

    Here is an article below about how to configure FGPP may be helpful to you.

    Step 1: Create a PSO

    https://technet.microsoft.com/en-us/library/cc754461(v=ws.10).aspx

    Best Regards,

    Jay


    Please remember to mark the replies as answers if they help and un-mark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, August 30, 2016 6:39 AM
    Moderator