I applied a PSO (Password Settings Object) with certain requirements, one is the duration of the password set to 60 days. It has been applied for 33 days, but, when I log into OWA, I received the message that my password is going to expire today although there's still time for my password to expire (like 27 days). I'm confused, it seems that it's applying the duration of the domain policy but I'm able to log on, to use the resources of my network. It's the only PSO applied at the moment in my domain. I've checked the property of msDS-ResultantPSO and it corresponds with the PSO I created. Another clue is when a I logon in my computer, the message that says 'you have X days, do you want to change your password now?' doesn't appear. Also I verified this with 2 different users and the behavior is the same. Who has the fault? Exchange? (I'm using Exchange 2007 SP3) is AD sending the wrong information to Exchange? how could I correct this?

Hi, I think the password policy for OWA is inherit from the company policy. So I recommend you to run RSOP from your computer and then check which policy that you have applied. Note: If you use the rsop.msc command to start RSoP, RSoP runs on the computer on which you run this command and it collects the policies that are applied to the user who is logged on and the computer account. Click Start, and then click Run. In Open box, type rsop.msc, and then click OK. Regards, Xiu

Hi, sorry for the looong delay, I've had a lot of work! When I execute rsop.msc, it gives me a Warning that prays: "As of Vista SP1 RSoP doesn't show all the settings of the GPO" (something like that, I'm translating). So, I used gpresult instead. gpresult /H GPreport.html And the results show that the Domain Policy is being applied for my computer. And it tells nothing about the PSO (Password Settings Object), is not even being denied., maybe because it is not properly a GPO? I think Exchange is misinterpreting the expiration of my pwd somewhere. GPO or PSO? Because at the end of the day, I'm still required to use the settings specified in the PSO (expiration, complexity, pwd length...). Is it that I need to remove the Password settings from the domain policy and only use PSOs? Thanks in advance.

Hi, I think you can try to remove the Password settings from Domain policy, and then check the issue again. Regards, Xiu

Hi. I'm afraid of an adverse impact to my 800~ users, I'm going to do the next if you agree that it's a good approach: Create an OU, move my account inside, block inheritance so it won't apply the domain policy to that OU, create a PSO for my account, and see how it behaves in OWA. Will I have to wait 15 days to see if the message is not going to be again in OWA?

Hi, I think you can create a test account and then run gpupdate /force to check the issue again. Regards, Xiu

Hi, I created the user, made it member of the group that has the PSO being applied to it. Created an Exchange account to that user. I've run gpupdate /force. I executed rsop.msc and the domain policy is still applying to the user (although I´ve blocked inheritance to the OU where the user account resides). I will have to wait 15 days to see who wins: Domain Policy or PSO (I expect the PSO to win in terms of funcionality (complexity, pwd lenght, pwd expiration), but the pwd expiration of the domain policy showing in OWA, only showing...).

PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider creating global security groups that contain the users from these OUs and then applying the newly defined fine-grained password and account lockout policies to them. If you move a user from one OU to another, you must update user memberships in the corresponding global security groups. Regards, Ajaj Desai (India)

The account is already in a Global Security Group. Does it matter if I move the account between OUs? I mean, the PSO is applying to the Global Security Group.

Fine grain password policy applies to group not to OU as said by AJAJ -- As per my knowledge changing OU would not effect till the time user is member of the group to which password policy is applied.

I'm sorry, I can't accept it as an answer because the main problem is not solved yet.

Fine grain password policy applies to group/user not to OU as said by AJAJ -- As per my knowledge moving the user from one OU to another OU would not effect Password policy till the time user is member of the secutiry group to which password policy is applied.

I know this is an old post but just for your info moderator , The PSO cann't be shown in the RSOP at all as per MS Xiu Zhang - MSFT<abbr class="affil"> </abbr><abbr class="affil"></abbr> :D , Refresh your knowledge with searching.