Step 3: Manage a PSO
Applies To: Windows Server 2008, Windows Server 2008 R2
Managing Password Settings objects (PSOs) includes the following tasks:
Deleting a PSO
Viewing and modifying PSO settings
Modifying PSO precedence
You must have Write permissions on the PSO object to perform any of the tasks above.
Deleting a PSO
You can delete a PSO:
Delete a PSO using the Active Directory module for Windows PowerShell
Deleting a PSO using ADSI Edit
Deleting a PSO using ldifde
Delete a PSO using the Active Directory module for Windows PowerShell
To delete a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Delete a Fine-Grained Password Policy.
Deleting a PSO using ADSI Edit
Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an Active Directory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects and attributes.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To delete a PSO using ADSI Edit
Click Start, click Run, type adsiedit.msc, and then click OK.
Double-click the domain that contains the PSO that you want to delete.
Double-click DC=<domain_name>.
Double-click CN=System.
Double-click CN=Password Settings.
Note
All the PSO objects that have been created in the selected domain appear.
- Right-click the PSO that you want to delete, and then click Delete.
Note
When the PSO is deleted, the password policy it represented will no longer be in effect for the members of the global security group that it was applied to.
Deleting a PSO using ldifde
You can use ldifde as a scriptable alternative for deleting PSOs.
LDAP Data Interchange Format (LDIF) is a proposed Internet standard for a file format that you can use for performing batch operations against directories that conform to Lightweight Directory Access Protocol (LDAP) standards. You can use LDIF to export and import data. LDIF performs batch operations such as add, create, and modify against AD DS. When you install the AD DS role, a utility program called LDIFDE is included to support batch operations that are based on the LDIF file format standard. For more information, see Using LDIFDE to import and export directory objects to Active Directory (https://go.microsoft.com/fwlink/?LinkId=87487).
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (https://go.microsoft.com/fwlink/?LinkId=83477).
To delete a PSO using ldifde
Specify which PSO you want to delete by saving the following sample code in a file, for example, delete-a-pso.ldf:
dn: CN=PSO1, CN=Password Settings Container,CN=System,DC=dc1,DC=contoso,DC=com changetype: deleteOpen a command prompt. To open a command prompt, click Start, click Run, type cmd, and then click OK.
Type the following command, and then press ENTER:
ldifde –i –f delete-a-pso.ldf
| Parameter | Description |
|---|---|
ldifde |
Specifies a utility program that supports batch operations that are based on the LDIF file standard. |
-i |
Specifies that Import Mode is turned on. |
-f delete-a-pso.ldf |
Specifies the name of the input file that you created. |
Viewing and modifying PSO settings
To view the details of a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Retrieve Details of a Fine-Grained Password Policy.
To modify a PSO (fine-grained password policy) using the Active Directory module for Windows PowerShell see, Modify a Fine-Grained Password Policy.
To view or modify PSO settings using the Windows interface
Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
On the View menu, ensure that Advanced Features is checked.
In the console tree, click Password Settings Container.
Where?
- Active Directory Users and Computers\domain node\System\Password Settings Container.
In the details pane, right-click the PSO, and then click Properties.
Click the Attribute Editor tab.
Select the attribute whose setting you want to view or edit, and then click View (for editable values) or Edit (for read-only values).
Note
If you do not see attributes whose settings you want to view or edit, click Filter to customize the list of attributes that is shown on the Attribute Editor tab.
Note
To view or edit the msDS-PSOAppliesTo attribute, click Filter, and then click Show attributes/Optional. Clear the Show only attributes that have values check box.
Modifying PSO precedence
To modify PSO precedence using the Windows interface
Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.
On the View menu, ensure that Advanced Features is checked.
In the console tree, click Password Settings Container.
Where?
- Active Directory Users and Computers\domain node\System\Password Settings Container
In the details pane, right-click the PSO, and then click Properties.
Click the Attribute Editor tab.
Select the msDS-PasswordSettingsPrecedence attribute, and then click Edit.
In the IntegerAttribute Editor dialog box, enter the new value for the PSO Precedence, and then click OK.