Continuing on from last weeks article – ‘How to create a PSO in a Domain’, we delve into applying a Password Settings Object to User Accounts.
To apply the PSO to a user in the domain, select the PSO object and navigate to Action-Properties.
The PSO Properties dialog box appears and opens in the Attribute Editor tab. Navigate and click on msDS-PSOAppliesTo. Select Edit.
Note: msDS-PSOAppliesTo attribute is multi-valued. This enables you to create one password policy, with a Distinguished Name (DN)/Serial Identifier Definition(SID), and apply it to different sets of users or global security groups.
Let’s say we want to apply the PSO to the users who belong to the HR group. We need to add the DN/SID using the Windows Account. Click ‘Add Windows Account’.
In the Select Users, Computers or Groups dialog box, enter in ‘HR’ and click ‘Check Names’.
‘HR’ should be underlined. Click ‘OK’ again confirm the new group.
The PSO has now been applied to the HR Group. The SID for the group is displayed in the Attribute Editor tabbed page of the PSO properties. Click ‘OK’ to exit out of the properties dialog box for this PSO object.