Granular Password not applying to users in groups
Hi i am wanting to implement a Granular Password policy in my domain. I have deved it all in our 2008 R2 test environment, which works fine but when i try and set it up on our actually 2008 domain it wont apply the policy to users in groups. The msDS-PasswordSetting class is applied to a group, from the groups attribute editor it confirms that the class is applied to it but a user in that group will not inherit the password class. It will work if i assign the password class straight to the user, but with 300+ users i would obviously prefer to use groups. The only thing that is different is that one is at 2008 R2 functional level and the other is 2008. Am i missing somthing?JC
December 7th, 2009 4:56pm

Hello JC, Thank you for posting here. Please try the steps below to apply PSO to domain security groups. 1. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.2. On the View menu, ensure that Advanced Features is checked.3. In the console tree, click Password Settings Container.4. In the details pane, right-click the PSO, and then click Properties.5. Click the Attribute Editor tab.6. Select the msDS-PsoAppliesTo attribute, and then click Edit.Note: If you do not see msDS-PsoAppliesTo attribute in the Attributes list, click Filter, and then click Show attributes/Optional. Also, clear the Show only attributes that have values check box. 7. In the Multi-valued String Editor dialog box, enter the Distinguished Name (also known as DN) of the user or the global security group that you want to apply this PSO to, click Add, and then click OK.Note:To obtain the full distinguished name of a user or a global security group, in the details pane, right-click the user or the global security group, and then click Properties. On the Attribute Editor tab, view the value of the Distinguished Name attribute in the Attributes list. Best Regards,Wilson JiaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
December 8th, 2009 6:28am

Hi Wilson, I have already done all this, and have it working with groups on my test network. My issue is that the users in the group dont seem to inherit the policy even though they are members of the groups that the password classes are attached to. RegardsJC
December 8th, 2009 10:46am

Hello JC, Based onmy test on a Windows 2008 Domain environment, I could not reproduce this issue.Please verify whether the user's msDS-ResultantPSO attribute has the PSO value. If the value of msDS-ResultantPSO attribute is Null, the Default Domain Policy is applied to selected user account.For your reference:View a Resultant PSO for a User or a Global Security Grouphttp://technet.microsoft.com/en-us/library/cc770848(WS.10).aspxRegards,Wilson JiaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
December 9th, 2009 10:50am

Hi Wilson, In the group's msDS-PSOApplied attribute it shows that it is picking up the correct password class. However when i check the attributes of a user who is in that groups msDS-ResultantPSO attribute it shows that it is <not set>. It is not inheriting the policy for some reason. Sorry btw for some reason it wont come out of bold. Regards JC
December 10th, 2009 1:18pm

Hi JC,Thank you for your response.I understand that you deploy Granular Password in a Windows 2008 domain environment,please double check thedomain function level is set to Windows 2008 since the FGPP is required Windows 2008 domain function level. To raise domain and forest functional levels, please refer to:http://support.microsoft.com/kb/322692Best Regards,Wilson JiaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
December 11th, 2009 11:20am

Hi Wilson, Yes the functional level is currently at 2008. RegardsJC
December 15th, 2009 11:09am

Hello JC,This issue looks like unusual, please collect a MPSreport ofyour serverfor investigation. How to collect an MPS report: a)Download the proper MPS Report tool from the website below. Microsoft Product Support Reportshttp://www.microsoft.com/downloads/details.aspx?FamilyID=CEBF3C7C-7CA5-408F-88B7-F9C79B7306C0&displaylang=en b) Double-click to run it. If the requirement is not met, please follow the wizard to download and install them. After that, click Next, when the "Select the diagnostics you want to run" page appears, select General; Internet and Networking; Business Network; Server Components; click Next. c) After collecting all log files, choose "Save the results". Choose a folder to save the <Computername>MPSReports.cab file. For your convenience, I have created a workspace for you. You can upload the information files to the following link. (Please choose "Send Files to Microsoft") Workspace URL: (https://sftasia.one.microsoft.com/choosetransfer.aspx?key=2c75b582-8cc9-489e-b1f5-1a74dd1d8b9d ) Password: %dC_#4knp#s Note: Due to differences in text formatting with various email clients, the workspace link above may appear to be broken. Please be sure to include all text between '(' and ')' when typing or copying the workspace link into your browser.Best Regards,Wilson JiaThis posting is provided "AS IS" with no warranties, and confers no rights.
Free Windows Admin Tool Kit Click here and download it now
December 15th, 2009 1:31pm

Just to update you: This was fixed when i updated the server to Server 2008 R2.JC
March 31st, 2010 4:40pm

I'm also has a similar problem. I use a Universal group type. It was fixed immediately when I change Group type to Global.
Free Windows Admin Tool Kit Click here and download it now
December 16th, 2010 1:32pm

I am also having the same issue where the PSO's are not getting applied. DC - 2008 R2 Functional Level set to 2008 Have tried both single user as well as global security groups. msDS-ResultantPSO does show the correct PSO, yet the Default Domain Policy seems to be getting applied.
December 29th, 2011 11:06am

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics