Understanding the Finer Points of FGPP's
In the final installment of my little mini-series on Fine-Grained Password Policies, I thought I’d point out a few of the finer points of using this Server 2008 feature. First: who can set these policies? The short answer is domain admins. Domain admins can create Password Settings Objects (PSOs) and associate those PSOs with groups (or even individual users). However, the permissions can be delegated to non-domain-admins. You would need to delegate “create child” permissions to the Password Settings Container, and the “write property” permission to the PSO. I mention associating a PSO with an individual user. Normally you wouldn’t do that, but if the situation arises, any PSO that you apply explicitly to a single user account will take precedence over a PSO applied to a group that may contain that same user account. If you feel a strange need to apply two or more PSOs to a single user, the PSO with the smaller GUID will be the one that wins. Microsoft has given us a helpful PSO attribute, msDS-ResultantPSO, that can help out when you’re troubleshooting Fine-Grained Password Policies. This attribute is especially useful when you have overlap: multiple PSOs for the same security group. The attribute records the name of the “winning” PSO. You can see it in Active Directory Users and Computers; choose View > Advanced Features, right-click the user account, and choose Properties.




