Partager via

Step 3: Manage a PSO

  • Article

Applies To: Windows Server 2008, Windows Server 2008 R2

Managing Password Settings objects (PSOs) includes the following tasks:

  • Deleting a PSO

  • Viewing and modifying PSO settings

  • Modifying PSO precedence

You must have Write permissions on the PSO object to perform any of the tasks above.

Deleting a PSO

You can delete a PSO:

  • Delete a PSO using the Active Directory module for Windows PowerShell

  • Deleting a PSO using ADSI Edit

  • Deleting a PSO using ldifde

Delete a PSO using the Active Directory module for Windows PowerShell

To delete a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Delete a Fine-Grained Password Policy.

Deleting a PSO using ADSI Edit

Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an Active Directory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects and attributes.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To delete a PSO using ADSI Edit

  1. Click Start, click Run, type adsiedit.msc, and then click OK.

  2. Double-click the domain that contains the PSO that you want to delete.

  3. Double-click DC=<domain_name>.

  4. Double-click CN=System.

  5. Double-click CN=Password Settings.

Note

All the PSO objects that have been created in the selected domain appear.

  1. Right-click the PSO that you want to delete, and then click Delete.

Note

When the PSO is deleted, the password policy it represented will no longer be in effect for the members of the global security group that it was applied to.

Deleting a PSO using ldifde

You can use ldifde as a scriptable alternative for deleting PSOs.

LDAP Data Interchange Format (LDIF) is a proposed Internet standard for a file format that you can use for performing batch operations against directories that conform to Lightweight Directory Access Protocol (LDAP) standards. You can use LDIF to export and import data. LDIF performs batch operations such as add, create, and modify against AD DS. When you install the AD DS role, a utility program called LDIFDE is included to support batch operations that are based on the LDIF file format standard. For more information, see Using LDIFDE to import and export directory objects to Active Directory (https://go.microsoft.com/fwlink/?LinkId=87487).

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).

To delete a PSO using ldifde

  1. Specify which PSO you want to delete by saving the following sample code in a file, for example, delete-a-pso.ldf:

    dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com
changetype: delete

  2. Open a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.

  3. Type the following command, and then press ENTER:

    ldifde –i –f delete-a-pso.ldf
Parameter Description

ldifde

Specifies a utility program that supports batch operations that are based on the LDIF file standard.

-i

Specifies that Import Mode is turned on.

-f delete-a-pso.ldf

Specifies the name of the input file that you created.

Viewing and modifying PSO settings

To view the details of a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Retrieve Details of a Fine-Grained Password Policy.

To modify a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Modify a Fine-Grained Password Policy.

To view or modify PSO settings using the Windows interface

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, ensure that Advanced Features is checked.

  3. In the console tree, click Password Settings Container.

    Where?

    • Active Directory Users and Computers\domain node\System\Password Settings Container.

  4. In the details pane, right-click the PSO, and then click Properties.

  5. Click the Attribute Editor tab.

  6. Select the attribute whose setting you want to view or edit, and then click View (for editable values) or Edit (for read-only values).

Note

If you do not see attributes whose settings you want to view or edit, click Filter to customize the list of attributes that is shown on the Attribute Editor tab.

Note

To view or edit the msDS-PSOAppliesTo attribute, click Filter, and then click Show attributes/Optional. Clear the Show only attributes that have values check box.

Modifying PSO precedence

To modify PSO precedence using the Windows interface

  1. Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

  2. On the View menu, ensure that Advanced Features is checked.

  3. In the console tree, click Password Settings Container.

    Where?

    • Active Directory Users and Computers\domain node\System\Password Settings Container

  4. In the details pane, right-click the PSO, and then click Properties.

  5. Click the Attribute Editor tab.

  6. Select the msDS-PasswordSettingsPrecedence attribute, and then click Edit.

  7. In the IntegerAttribute Editor dialog box, enter the new value for the PSO Precedence, and then click OK.