Password Settings Objects (PSOs) allow password settings to be applied to users or groups as opposed to organizational units. In this article, we will walk through the process of creating PSO and show you how to view their expiration date in Bamboo’s Password Expiration Web Part using SharePoint 2013.
Some important notes before you begin:
First, the domain functional level must be Windows 2008.
Some rules about using PSOs in Windows 2008:
- If multiple PSOs are linked to a user or group, the resultant PSO that is applied is determined as follows:
- A PSO that is linked directly to the user object is the resultant PSO.
- If no PSO is linked to the user object, the global security group memberships of the user and all PSOs that are applicable to the user based on those global group memberships.
- The PSO with the lowest msDS-PasswordSettingsPrecedence value is the resultant PSO.
- If no PSO is obtained from the preceding conditions, the Default Domain Policy is applied.
For this article:
- We have applied the Default Domain Policy; therefore, the password is set to expire for each user in 10 days.
- When you log into the Password Expiration Web Part on the first day, it will show that the password is set to expire in 9 days, as pictured below:
To create PSO in Windows 2008, follow these steps:
- Go to Run, type adsiedit.msc, and click OK:
- This will open ADSI Edit. To begin, right-click ADSI Edit and select Connect to …:
·
- Enter the Domain Name and click OK:
- Go to the CN=System node -> CN=Password Settings Container -> New Object, as pictured below:
- This will open the Create Object dialog box. Click Next:
- Type the Value into the textbox. Click Next:
- Input the following values when prompted:
1. msDS-PasswordSettingsPrecedence:
| Attribute name: | msDS-PasswordSettingsPrecedence |
| What it is: | Password Settings Precedence |
| Acceptable value range: | Greater than 0 |
| Example value: | 10 |
2. msDS-PasswordReversibleEncryptionEnabled:
| Attribute name: | msDS-PasswordReversibleEncryptionEnabled |
| What it is: | Password reversible encryption status for user accounts |
| Acceptable value range: | FALSE / TRUE (Recommended: FALSE) |
| Example value: | FALSE |
3. msDS-PasswordHistoryLength:
| Attribute name: | msDS-PasswordHistoryLength |
| What it is: | Password History Length for user accounts |
| Acceptable value range: | 0 through 1024 |
| Example value: | 24 |
4. msDS-PasswordComplexityEnabled:
| Attribute name: | msDS-PasswordComplexityEnabled |
| What it is: | Password complexity status for user accounts |
| Acceptable value range: | FALSE / TRUE (Recommended: TRUE) |
| Example value: | TRUE |
5. msDS-MinimumPasswordLength:
| Attribute name: | msDS-MinimumPasswordLength |
| What it is: | Minimum Password Length for user accounts |
| Acceptable value range: | 0 through 255 |
| Example value: | 8 |
6. msDS-MinimumPasswordAge:
| Attribute name: | msDS-MinimumPasswordAge |
| What it is: | Minimum Password Age for user accounts |
| Acceptable value range: |
(None) 00:00:00:00 through msDS-MaximumPasswordAge value
|
| Example value: | 1:00:00:00 (1 day) |
7. msDS-MaximumPasswordAge:
| Attribute name: | msDS-MaximumPasswordAge |
| What it is: | Maximum Password Age for user accounts |
| Acceptable value range: |
(Never) To set the time to (never), set the value to – 9223372036854775808 msDS-MinimumPasswordAge value through (Never) msDS-MaximumPasswordAge cannot be set to zero |
| Example value: | 42:00:00:00 (42 days) |
8. msDS-LockoutThreshold:
| Attribute name: | msDS-LockoutThreshold |
| What it is: | Lockout threshold for lockout of user accounts |
| Acceptable value range: | 0 through 65535 |
| Example value: | 10 |
9. msDS-LockoutObservationWindow:
| Attribute name: | msDS-LockoutObservationWindow |
| What it is: | Observation Window for lockout of user accounts |
| Acceptable value range: |
(None) 00:00:00:01 through msDS-LockoutDuration value |
| Example value: | 0:00:30:00 (30 minutes) |
10. msDS-LockoutDuration:
| Attribute name: | msDS-LockoutDuration |
| What it is: | Lockout duration for locked out user accounts |
| Acceptable value range: |
(None) (Never) msDS-LockoutObservationWindow value through (Never) |
| Example value: | 0:00:30:00 (30 minutes) |
- Finally, click More Attributes:
- In “Select which properties to view,” select msDS-PSOAppliesTo:
- In Edit Attribute, input msDS-PSOAppliesTo as follows:
| Attribute name: | msDS-PSOAppliesTo |
| What it is: | Links to objects that this password settings object applies to (forward link) |
| Acceptable value range: | 0 or more DNs of users or global security groups |
| Example value: | “CN=u1,CN=Users,DC=DC1,DC=contoso,DC=com” |
To show the password expiration date on Password Expiration Web Part in SharePoint 2013, follow these steps:
- Configure the tool pane as pictured below:
To verify that the password expiration settings were correctly applied, open Password Expiration Web Part. When you go to the Web Part, you will see that the expiration date is shown as a PSO:
