How to Create Password Settings Objects and Show their Expiration Date in Password Expiration Web Part Using SharePoint 2013

Password Settings Objects (PSOs) allow password settings to be applied to users or groups as opposed to organizational units. In this article, we will walk through the process of creating PSO and show you how to view their expiration date in Bamboo’s Password Expiration Web Part using SharePoint 2013.

Some important notes before you begin:

First, the domain functional level must be Windows 2008.

Some rules about using PSOs in Windows 2008:

  • If multiple PSOs are linked to a user or group, the resultant PSO that is applied is determined as follows:
    • A PSO that is linked directly to the user object is the resultant PSO.
    • If no PSO is linked to the user object, the global security group memberships of the user and all PSOs that are applicable to the user based on those global group memberships.
    • The PSO with the lowest msDS-PasswordSettingsPrecedence value is the resultant PSO.
  • If no PSO is obtained from the preceding conditions, the Default Domain Policy is applied.

For this article:

  • We have applied the Default Domain Policy; therefore, the password is set to expire for each user in 10 days.
  • When you log into the Password Expiration Web Part on the first day, it will show that the password is set to expire in 9 days, as pictured below:

 

To create PSO in Windows 2008, follow these steps:

  • Go to Run, type adsiedit.msc, and click OK:

 

  • This will open ADSI Edit. To begin, right-click ADSI Edit and select Connect to …:

·    

  • Enter the Domain Name and click OK:

 

  • Go to the CN=System node -> CN=Password Settings Container -> New Object, as pictured below:

     

    • This will open the Create Object dialog box. Click Next:

     

    • Type the Value into the textbox. Click Next:

       

      • Input the following values when prompted:

      1.   msDS-PasswordSettingsPrecedence:

      Attribute name: msDS-PasswordSettingsPrecedence
      What it is: Password Settings Precedence
      Acceptable value range: Greater than 0
      Example value: 10

      2. msDS-PasswordReversibleEncryptionEnabled:

      Attribute name: msDS-PasswordReversibleEncryptionEnabled
      What it is: Password reversible encryption status for user accounts
      Acceptable value range: FALSE / TRUE (Recommended: FALSE)
      Example value: FALSE

      3. msDS-PasswordHistoryLength:

      Attribute name: msDS-PasswordHistoryLength
      What it is: Password History Length for user accounts
      Acceptable value range: 0 through 1024
      Example value: 24

       

      4. msDS-PasswordComplexityEnabled:

      Attribute name: msDS-PasswordComplexityEnabled
      What it is: Password complexity status for user accounts
      Acceptable value range: FALSE / TRUE (Recommended: TRUE)
      Example value: TRUE

      5. msDS-MinimumPasswordLength:

      Attribute name: msDS-MinimumPasswordLength
      What it is: Minimum Password Length for user accounts
      Acceptable value range: 0 through 255
      Example value: 8

      6. msDS-MinimumPasswordAge:

      Attribute name: msDS-MinimumPasswordAge
      What it is: Minimum Password Age for user accounts
      Acceptable value range:

      (None)

      00:00:00:00 through msDS-MaximumPasswordAge value

       

      Example value: 1:00:00:00 (1 day)

      7. msDS-MaximumPasswordAge:

      Attribute name: msDS-MaximumPasswordAge
      What it is: Maximum Password Age for user accounts
      Acceptable value range:

      (Never)

      To set the time to (never), set the value to – 9223372036854775808

      msDS-MinimumPasswordAge value through (Never)

      msDS-MaximumPasswordAge cannot be set to zero

      Example value: 42:00:00:00 (42 days)

      8. msDS-LockoutThreshold:

      Attribute name: msDS-LockoutThreshold
      What it is: Lockout threshold for lockout of user accounts
      Acceptable value range: 0 through 65535
      Example value: 10

      9. msDS-LockoutObservationWindow:

      Attribute name: msDS-LockoutObservationWindow
      What it is: Observation Window for lockout of user accounts
      Acceptable value range:

      (None)

      00:00:00:01 through msDS-LockoutDuration value

      Example value: 0:00:30:00 (30 minutes)

      10. msDS-LockoutDuration:

      Attribute name: msDS-LockoutDuration
      What it is: Lockout duration for locked out user accounts
      Acceptable value range:

      (None)

      (Never)

      msDS-LockoutObservationWindow value through (Never)

      Example value: 0:00:30:00 (30 minutes)

       

      • Finally, click More Attributes:

      • In “Select which properties to view,” select msDS-PSOAppliesTo:

       

      • In Edit Attribute, input msDS-PSOAppliesTo as follows:
      Attribute name: msDS-PSOAppliesTo
      What it is: Links to objects that this password settings object applies to (forward link)
      Acceptable value range: 0 or more DNs of users or global security groups
      Example value: “CN=u1,CN=Users,DC=DC1,DC=contoso,DC=com”

       

      To show the password expiration date on Password Expiration Web Part in SharePoint 2013, follow these steps:

      • Configure the tool pane as pictured below:

         

        To verify that the password expiration settings were correctly applied, open Password Expiration Web Part. When you go to the Web Part, you will see that the expiration date is shown as a PSO: