none
PSO override

    Question

  • I have a Password Policy in place but some Admins are changing users account options so the policy is getting ignored, see below.

    Any ideas how to prevent just on the PSO group it applies to?

    Tuesday, January 27, 2015 2:35 PM

All replies

  • I have a Password Policy in place but some Admins are changing users account options so the policy is getting ignored, see below.

    Any ideas to stop this on that PSO group?

    Tuesday, January 27, 2015 2:34 PM
  • You cannot configure the PSO object to overwrite this configuration.
    However, you can proceed using two ways:

    • Update your security settings so that these administrators will not be able to enable these options on user accounts member of the group on which the PSO object is applied
    • or You can have a Powershell script that will run periodically on members of the group on which the PSO object is applied so that it disables the mentioned options if your admins have enabled them

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    • Proposed as answer by Calin Liviu Tuesday, January 27, 2015 3:08 PM
    Tuesday, January 27, 2015 2:38 PM
  • > I have a Password Policy in place but some Admins are changing users
     
    If they do bad stuff, don't make them admins... No other way.
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    • Proposed as answer by Calin Liviu Tuesday, January 27, 2015 3:07 PM
    • Unproposed as answer by jamicon Friday, January 30, 2015 8:23 PM
    Tuesday, January 27, 2015 3:02 PM
  • > Update your security settings so that these administrators will not be
    > able to enable these options
     
    Might be a hard job if they are real administrators :-)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Tuesday, January 27, 2015 3:07 PM
  • "or You can have a Powershell script that will run periodically on members of the group on which the PSO object is applied so that it disables the mentioned options if your admins have enabled them"

    I have used custom delegation before and it worked but I like the idea of scheduling this. Anyone got one?

    Tuesday, January 27, 2015 8:21 PM
  • preaching to the choir my friend.

    however "some" accounts need that setting legitimately

    Tuesday, January 27, 2015 8:29 PM
  •  
    > preaching to the choir my friend.
     
    Yes, I know - sad story for a long time :)
     
    > however "some" accounts need that setting legitimately
     
    Then either teach them what to do and what not - or make an agreement
    with them so you can justify when they violate it.
     
    Always remember: An admin is an admin is an admin is an admin is an
    admin (can't be repeated often enough)
     

    Martin

    Mal ein GUTES Buch über GPOs lesen?

    NO THEY ARE NOT EVIL, if you know what you are doing: Good or bad GPOs?
    And if IT bothers me - coke bottle design refreshment :))
    Wednesday, January 28, 2015 10:19 AM
  • "or You can have a Powershell script that will run periodically on members of the group on which the PSO object is applied so that it disables the mentioned options if your admins have enabled them"

    I have used custom delegation before and it worked but I like the idea of scheduling this. Anyone got one?

    You can develop one. Powershell is easy to use and develop :)

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Wednesday, January 28, 2015 8:52 PM
  • Hi ,

    As per my knowledge, Active Directory will automatically apply the PSO with the highest priority setting, which is one of the user-controllable settings in the PSO properties.

    Still give it a try for below:

    Did you modify PSO precedence, if no do as following:

    To modify PSO precedence using the Windows interface

        Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

        On the View menu, ensure that Advanced Features is checked.

        In the console tree, click Password Settings Container.

        Where?
            Active Directory Users and Computers\domain node\System\Password Settings Container

        In the details pane, right-click the PSO, and then click Properties.

        Click the Attribute Editor tab.

        Select the msDS-PasswordSettingsPrecedence attribute, and then click Edit.

        In the IntegerAttribute Editor dialog box, enter the new value for the PSO Precedence, and then click OK.


    Regards, Prabhu

    Friday, January 30, 2015 5:30 AM
  • thank you for your reply

    the value is set to 1

    my account is set to never expire and I have not been forced to change my password

    my other test account does not have that set and has been prompted to change password.

    ideas?

    Friday, January 30, 2015 8:16 PM
  • Hi Jamicon,

    >>Any ideas how to prevent just on the PSO group it applies to?

    I know this is not the answer you want. However, as Martin suggested, if they are domain admins, then we can't really stop them, for they can revert the changes we make to them.

    Best regards,
    Frank Shen


    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.


    Monday, February 2, 2015 9:06 AM
    Moderator
  • They are not domain admins, they just have full control delegation rights to their location OU and sub containers.

    I have in the past been able to use delegation to block those fields but since this group is a variable and I'm not looking to increase my admin overhead, I have just trying to find a solution like maybe a script that runs every day that could uncheck those boxes for the users group in the PSO.

    Monday, February 2, 2015 1:32 PM