I have a Password Policy in place but some Admins are changing users account options so the policy is getting ignored, see below.

Any ideas to stop this on that PSO group?

• Merged by Frank Shen5Microsoft contingent staff, Moderator 2 hours 31 minutes ago duplicate

I have a Password Policy in place but some Admins are changing users account options so the policy is getting ignored, see below.

Any ideas how to prevent just on the PSO group it applies to?

You cannot configure the PSO object to overwrite this configuration.
However, you can proceed using two ways:

• Update your security settings so that these administrators will not be able to enable these options on user accounts member of the group on which the PSO object is applied
• or You can have a Powershell script that will run periodically on members of the group on which the PSO object is applied so that it disables the mentioned options if your admins have enabled them

> I have a Password Policy in place but some Admins are changing users   If they do bad stuff, don't make them admins... No other way.  

> Update your security settings so that these administrators will not be > able to enable these options   Might be a hard job if they are real administrators :-)  

"or You can have a Powershell script that will run periodically on members of the group on which the PSO object is applied so that it disables the mentioned options if your admins have enabled them"

I have used custom delegation before and it worked but I like the idea of scheduling this. Anyone got one?

preaching to the choir my friend.

however "some" accounts need that setting legitimately

  > preaching to the choir my friend.   Yes, I know - sad story for a long time :)   > however "some" accounts need that setting legitimately   Then either teach them what to do and what not - or make an agreement with them so you can justify when they violate it.   Always remember: An admin is an admin is an admin is an admin is an admin (can't be repeated often enough)  

"or You can have a Powershell script that will run periodically on members of the group on which the PSO object is applied so that it disables the mentioned options if your admins have enabled them"

I have used custom delegation before and it worked but I like the idea of scheduling this. Anyone got one?

You can develop one. Powershell is easy to use and develop :)

Hi ,

As per my knowledge, Active Directory will automatically apply the PSO with the highest priority setting, which is one of the user-controllable settings in the PSO properties.

Still give it a try for below:

Did you modify PSO precedence, if no do as following:

To modify PSO precedence using the Windows interface

    Open Active Directory Users and Computers. To open Active Directory Users and Computers, click Start, point to Administrative Tools, and then click Active Directory Users and Computers.

    On the View menu, ensure that Advanced Features is checked.

    In the console tree, click Password Settings Container.

    Where?
        Active Directory Users and Computers\domain node\System\Password Settings Container

    In the details pane, right-click the PSO, and then click Properties.

    Click the Attribute Editor tab.

    Select the msDS-PasswordSettingsPrecedence attribute, and then click Edit.

    In the IntegerAttribute Editor dialog box, enter the new value for the PSO Precedence, and then click OK.

thank you for your reply

the value is set to 1

my account is set to never expire and I have not been forced to change my password

my other test account does not have that set and has been prompted to change password.

ideas?

Hi Jamicon,

>>Any ideas how to prevent just on the PSO group it applies to?

I know this is not the answer you want. However, as Martin suggested, if they are domain admins, then we can't really stop them, for they can revert the changes we make to them.

Best regards,
Fran