It seems to be an old problem... https://social.technet.microsoft.com/Forums/windows/en-US/858cdbc9-933b-4591-9dfc-f05d46f9ebbd/granular-password-not-applying-to-users-in-groups?forum=winserversecurity, solutions given in that thread (group security global or universal, recreating the group...) doesn't worked for me...
- create new security group, scope global, applied to PSO: attribute not showed
- create new security group, scope universal, applied to PSO: attribute not showed
- add my user directly in the PSO membership : attribute showed !
This seems not to be a access right problem, because i can get the PSO name from the "dsget" cmd, with -effectivepso parameter.
This solution is not usable since it needs the active directory snap-ins/add-ons on Windows...