PSO showing not showing when applied to security group

Arnaud Rigole 1 Reputation point
2022-04-28T15:09:22.357+00:00

Hi everyone,

We got "fine grained" PSO in our AD, applied to security groups.

I'm trying to run a logon PS script for our domain users, which retrieves the user attribute "msds-psoapplied", using [adsisearcher] like below.

[...]
$searchUser = [adsisearcher]::new()
$searchUser.Filter="SamAccountName=$($env:USERNAME)"
$user = $searchUser.FindOne().Properties
$PSOapplied = $user.'msds-psoapplied'
[...]

The problem is that the 'msds-psoapplied' attribute shows empty, except if i put my user directly in the PSO membership "applies directly to".
I don't understand why....

Someone else here seems to had the same problem https://social.technet.microsoft.com/Forums/en-US/c7b7c94a-05da-45f0-be6e-3bfd60d68b30/finegrained-password-policy-not-working?forum=winserverDS, it is question of the "group scope" global/universal. I've tried both, no changes...

The attribute

Any ideas?
Regards

Arnaud

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,738 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Arnaud Rigole 1 Reputation point
    2022-04-28T15:47:34.18+00:00

    It seems to be an old problem... https://social.technet.microsoft.com/Forums/windows/en-US/858cdbc9-933b-4591-9dfc-f05d46f9ebbd/granular-password-not-applying-to-users-in-groups?forum=winserversecurity, solutions given in that thread (group security global or universal, recreating the group...) doesn't worked for me...

    Tried:

    • create new security group, scope global, applied to PSO: attribute not showed
    • create new security group, scope universal, applied to PSO: attribute not showed
    • add my user directly in the PSO membership : attribute showed !

    This seems not to be a access right problem, because i can get the PSO name from the "dsget" cmd, with -effectivepso parameter.
    This solution is not usable since it needs the active directory snap-ins/add-ons on Windows...

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.