Issue with FineGrained password policy


  • Please need your help 


    I tried the same steps 

    >created one global group and PSO
    >add the group into PSO 
    >add user named 'test' to group 
    > but still showing domain policy not the one that I set using PSO 
    ResultantPSO attribute is missing from attribute editor 

    AppliesTo                   : {CN=testgroup,OU=Test,DC=corp,DC=com, CN=rkaim,CN=Users,DC=corp,DC=com}
    ComplexityEnabled           : True
    DistinguishedName           : CN=Test_pwd_pols,CN=Password Settings Container,CN=System,DC=corp,DC=com
    LockoutDuration             : 00:30:00
    LockoutObservationWindow    : 00:30:00
    LockoutThreshold            : 3
    MaxPasswordAge              : 20.00:00:00
    MinPasswordAge              : 2.00:00:00
    MinPasswordLength           : 10
    Name                        : Test_pwd_pols
    ObjectClass                 : msDS-PasswordSettings
    ObjectGUID                  : b703eb64-c294-4654-9be1-fa1fa2315f5a
    PasswordHistoryCount        : 12
    Precedence                  : 10
    ReversibleEncryptionEnabled : False<o:p></o:p>

    PS C:\> net user test
    User name                    test
    Full Name                    Test
    User's comment
    Country/region code          000 (System Default)
    Account active               Yes
    Account expires              Never

    Password last set            2/22/2017 9:04:49 PM
    Password expires             4/5/2017 9:04:49 PM
    Password changeable          2/23/2017 9:04:49 PM
    Password required            Yes
    User may change password     Yes

    • Edited by rahulkaim Wednesday, February 22, 2017 4:09 PM
    Wednesday, February 22, 2017 4:07 PM

All replies

  • Hi,
    FGPP requires that the domain functional level must be Windows Server 2008 or higher, so please make sure that all DCs are running a minimum of 2008 o/s if you want to use the FGPP.
    Please have a try the following steps to check if the FGPP is applied:
    •Right Click on User or Group > Property.
    •Click on Attribute Editor Tab.
    •Find the msDS-ResultantPSO attribute.
    •If a password policy or PSO applies to a user or group, it will be displayed in the attribute's property with the CN of the PSO.
    Best regards,

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Thursday, February 23, 2017 5:17 AM