Password Settings Objects (PSOs) other wise know as fine-grained password policies can be used to set different restrictions for password and account lockout policies to different sets of users in a domain.
To create a PSO
- Open Active Directory Administrative Centre
- Double click on the Domain, then system and then Password Settings Container.
- Click on New > Password Settings
- Enter in specific settings for the password policy and select the user or group it applies to
If there is more then one password policy and they apply to a user, then a password policy with the lowest precedence applies. In the below example, A Hill user password policy has a lower precedence number thus would apply to the user even if he is in the HQ users.
PSOs can also be configured and applied by using the ADFineGrainedPasswordPolicy and
ADFineGrainedPasswordPolicySubject sets of cmdlets.
For example:
New-ADFineGrainedPasswordPolicy
-Name “Domain Admins Policy”
-MinPasswordLength 10
-Precedence 20
-LockoutThreshold 5
Get-ADFineGrainedPasswordPolicy – show the policies
Resultant password settings
Powershell can be used to see the password settings
Get-ADUser -Identity “Charlie” | Get-ADUserResultantPasswordPolicy