PSO Not Applying to Group but to Individual Users


  • I have one PSO in my domain that I put in the DN for the group in the msds-psoappliesto.  I have 2 user accounts in this group and those users are only part of this group, removed from membership of any other group.  Problem is, after setting the DN in this attribute, those 2 users are now not able to set their passwords to non-complex, which is the purpose of this PSO.

    However, if I put in the DN for the 2 users individually in msds-psoappliesto, then those users ARE able to change their passwords to non-complex.  

    Any ideas?

    Wednesday, March 29, 2017 4:55 PM

All replies

  • The group should be a global security group. See this link for how to assign the PSO to a user or a global security group:

    Edit: And there should be no need to remove the users from other groups, as long as the other groups don't have PSO's applied to them.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Wednesday, March 29, 2017 7:23 PM
  • Hi,

    I am checking how the issue is going, if you still have any questions, please feel free to contact us.

    And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

    Appreciate for your feedback.

    Best regards,


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact

    Tuesday, April 4, 2017 6:00 AM