Friday, 12 November 2010

Creating a PSO

You can create Password Settings objects (PSOs):

Creating a PSO using ADSI Edit

Active Directory Service Interfaces Editor (ADSI Edit) provides a view of every object and attribute in an Active Directory Domain Services (AD DS) forest. You can use ADSI Edit to query, view, and edit AD DS objects and attributes.
Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Review details about using the appropriate accounts and group memberships at Local and Domain Default Groups (http://go.microsoft.com/fwlink/?LinkId=83477).

To create a PSO using ADSI Edit

  1. Click Start, click Run, type adsiedit.msc, and then click OK.
    noteNote
    If you are running ADSI Edit for the first time on a domain controller, proceed to step 2. Otherwise, proceed to step 4.

  2. In the ADSI Edit snap-in, right-click ADSI Edit, and then click Connect to.
  3. In Name, type the fully qualified domain name (FQDN) of the domain in which you want to create the PSO, and then click OK.
  4. Double-click the domain.
  5. Double-click DC=<domain_name>.
  6. Double-click CN=System.
  7. Click CN=Password Settings Container.
    All the PSO objects that have been created in the selected domain appear.
  8. Right-click CN=Password Settings Container, click New, and then click Object.
  9. In the Create Object dialog box, under Select a class, click msDS-PasswordSettings, and then click Next.
  10. In Value, type the name of the new PSO, and then click Next.
  11. Continue with the wizard, and enter appropriate values for all mustHave attributes.
    ImportantImportant
    To disable account lockout policies, assign the msDS-LockoutThreshold attribute the value of 0.

    noteNote
    To avoid ADSI Edit errors, values for the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) must be entered in the d:hh:mm:ss format (recommended) or the I8 format. Note that the d:hh:mm:ss format is only available in the Windows Server 2008 version of ADSI Edit. For more information about how to convert time unit values into I8 values, see "Negative PSO Attribute Values" in Appendix B: PSO Attribute Constraints.


    Source:



    		http://technet.microsoft.com/en-us/library/cc754461%28WS.10%29.aspx














































    		            
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)