How to Create Password Settings Objects and Show their Expiration Date in Password Expiration Web Part Using SharePoint 2013

Password Settings Objects (PSOs) allow password settings to be applied to users or groups as opposed to organizational units. In this article, we will walk through the process of creating PSO and show you how to view their expiration date in Bamboo’s Password Expiration Web Part using SharePoint 2013.

Some important notes before you begin:

First, the domain functional level must be Windows 2008.

Some rules about using PSOs in Windows 2008:

  • If multiple PSOs are linked to a user or group, the resultant PSO that is applied is determined as follows:
    • A PSO that is linked directly to the user object is the resultant PSO.
    • If no PSO is linked to the user object, the global security group memberships of the user and all PSOs that are applicable to the user based on those global group memberships.
    • The PSO with the lowest msDS-PasswordSettingsPrecedence value is the resultant PSO.
  • If no PSO is obtained from the preceding conditions, the Default Domain Policy is applied.

For this article:

  • We have applied the Default Domain Policy; therefore, the password is set to expire for each user in 10 days.
  • When you log into the Password Expiration Web Part on the first day, it will show that the password is set to expire in 9 days, as pictured below:


To create PSO in Windows 2008, follow these steps:

  • Go to Run, type adsiedit.msc, and click OK:


  • This will open ADSI Edit. To begin, right-click ADSI Edit and select Connect to …:


  • Enter the Domain Name and click OK:


  • Go to the CN=System node -> CN=Password Settings Container -> New Object, as pictured below:


    • This will open the Create Object dialog box. Click Next:


    • Type the Value into the textbox. Click Next:


      • Input the following values when prompted:

      1.   msDS-PasswordSettingsPrecedence:

      Attribute name: msDS-PasswordSettingsPrecedence
      What it is: Password Settings Precedence
      Acceptable value range: Greater than 0
      Example value: 10

      2. msDS-PasswordReversibleEncryptionEnabled:

      Attribute name: msDS-PasswordReversibleEncryptionEnabled
      What it is: Password reversible encryption status for user accounts
      Acceptable value range: FALSE / TRUE (Recommended: FALSE)
      Example value: FALSE

      3. msDS-PasswordHistoryLength:

      Attribute name: msDS-PasswordHistoryLength
      What it is: Password History Length for user accounts
      Acceptable value range: 0 through 1024
      Example value: 24


      4. msDS-PasswordComplexityEnabled:

      Attribute name: msDS-PasswordComplexityEnabled
      What it is: Password complexity status for user accounts
      Acceptable value range: FALSE / TRUE (Recommended: TRUE)
      Example value: TRUE

      5. msDS-MinimumPasswordLength:

      Attribute name: msDS-MinimumPasswordLength
      What it is: Minimum Password Length for user accounts
      Acceptable value range: 0 through 255
      Example value: 8

      6. msDS-MinimumPasswordAge:

      Attribute name: msDS-MinimumPasswordAge
      What it is: Minimum Password Age for user accounts
      Acceptable value range:


      00:00:00:00 through msDS-MaximumPasswordAge value


      Example value: 1:00:00:00 (1 day)

      7. msDS-MaximumPasswordAge:

      Attribute name: msDS-MaximumPasswordAge
      What it is: Maximum Password Age for user accounts
      Acceptable value range:


      To set the time to (never), set the value to – 9223372036854775808

      msDS-MinimumPasswordAge value through (Never)

      msDS-MaximumPasswordAge cannot be set to zero

      Example value: 42:00:00:00 (42 days)

      8. msDS-LockoutThreshold:

      Attribute name: msDS-LockoutThreshold
      What it is: Lockout threshold for lockout of user accounts
      Acceptable value range: 0 through 65535
      Example value: 10

      9. msDS-LockoutObservationWindow:

      Attribute name: msDS-LockoutObservationWindow
      What it is: Observation Window for lockout of user accounts
      Acceptable value range:


      00:00:00:01 through msDS-LockoutDuration value

      Example value: 0:00:30:00 (30 minutes)

      10. msDS-LockoutDuration:

      Attribute name: msDS-LockoutDuration
      What it is: Lockout duration for locked out user accounts
      Acceptable value range:



      msDS-LockoutObservationWindow value through (Never)

      Example value: 0:00:30:00 (30 minutes)


      • Finally, click More Attributes:

      • In “Select which properties to view,” select msDS-PSOAppliesTo:


      • In Edit Attribute, input msDS-PSOAppliesTo as follows:
      Attribute name: msDS-PSOAppliesTo
      What it is: Links to objects that this password settings object applies to (forward link)
      Acceptable value range: 0 or more DNs of users or global security groups
      Example value: “CN=u1,CN=Users,DC=DC1,DC=contoso,DC=com”


      To show the password expiration date on Password Expiration Web Part in SharePoint 2013, follow these steps:

      • Configure the tool pane as pictured below:


        To verify that the password expiration settings were correctly applied, open Password Expiration Web Part. When you go to the Web Part, you will see that the expiration date is shown as a PSO:

        All SharePoint Versions

        The web parts are functional components that extend your SharePoint environment whether it’s hosted, on-premises, or part of Microsoft® Office 365.

        SharePoint 2013, 2016, 2019, Online (Office 365)

        On-Premises Only

        These web parts extend SharePoint beyond its out-of-the-box capabilities by tailoring it to your requirements with Bamboo Solution’s growing portfolio of SharePoint Web Parts.

        SharePoint 2013, 2016, 2019


        Product Suites

        Experience greater power and savings by bundling our SharePoint apps and web parts.

        Essentials Suite

        Essentials Plus Suite

        Bamboo Premier Suite

        Project Management Suite

        Knowledge Management Suite

        External User Manager


        For more information on our product suites, contact us.

        Featured Services

        SharePoint Health Check

        A SharePoint Health Check will identify the causes of issues and risks associated with your specific environment, and is custom tailored to provide you with the best recommendations to optimize your SharePoint environment.

        SQL Health Check

        Document recommendations relating to performance, stability, availability, or a specific focus you request of your SQL Server database instances.

        My SharePointXperts

        The truth is that each SharePoint skill may not be a full time job for many organizations, and it is nearly impossible for one person to do everything you need – so augment your team with SharePointXperts; providing the skill sets you need when you need them!