Synopsis
Description
A user can have multiple password policy objects (PSOs) associated with it, but only one PSO is the RSoP. A PSO is associated with a user when the PSO applies directly to the user or when the PSO applies to an Active Directory group that contains the user. When more than one PSO policy is associated with a user or group, the RSoP value defines the PSO to apply.
The resultant password policy or RSoP for a user is determined by using the following procedure.
- If only one PSO is associated with a user, this PSO is the RSoP.
- If more than one PSO is associated with a user, the PSO that applies directly to the user is the RSoP.
- If more than one PSO applies directly to the user, the PSO with the lowest msDS-PasswordSettingsPrecedence attribute value is the RSoP and this event is logged as a warning in the Active Directory event log. The lowest attribute value represents the highest PSO precedence. For example, if the msDS-PasswordSettingsPrecedence values of two PSOs are 100 and 200, the PSO with the attribute value of 100 is the RSoP.
- If there are no PSOs that apply directly to the user, the PSOs of the global security groups that have the user as a member are compared. The PSO with the lowest msDS-PasswordSettingsPrecedence value is the RSoP.
The Identity parameter specifies the Active Directory user. You can identify a user by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the parameter to a user object variable, such as $<localUserObject> or pass a user object through the pipeline to the Identity parameter. For example, you can use the Get-ADUser cmdlet to retrieve a user object and then pass the object through the pipeline to the Get-ADUserResultantPasswordPolicy cmdlet.
Parameters
-AuthType
Specifies the authentication method to use. Possible values for this parameter include:
Required? false
Position? named
Default value Microsoft.ActiveDirectory.Management.AuthType.Negotiate
Accept pipeline input? false
Accept wildcard characters? false
-Credential <PSCredential>
Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Identity <ADUser>
Specifies an Active Directory user object by providing one of the following property values. The identifier in parentheses is the LDAP display name for the attribute.
Required? true
Position? 1
Default value
Accept pipeline input? True (ByValue)
Accept wildcard characters? false
-Partition <String>
Specifies the distinguished name of an Active Directory partition. The distinguished name must be one of the naming contexts on the current directory server. The cmdlet searches this partition to find the object defined by the Identity parameter.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
-Server <String>
Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.
Required? false
Position? named
Default value
Accept pipeline input? false
Accept wildcard characters? false
Syntax
Get-ADUserResultantPasswordPolicy [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADUser> [-Partition <String>] [-Server <String>] [<CommonParameters>]
This cmdlet does not work with AD LDS.
C:\PS>Get-ADUserResultantPasswordPolicy Kamala
Name : DomainUsersPSO
ComplexityEnabled : True
LockoutThreshold : 10
ReversibleEncryptionEnabled : False
LockoutDuration : 12:00:00
LockoutObservationWindow : 00:15:00
MinPasswordLength : 8
Precedence : 500
ObjectGUID : f8d2653c-4sds-565c-b272-4c7f4268df4c
ObjectClass : msDS-PasswordSettings
PasswordHistoryCount : 24
MinPasswordAge : 1.00:00:00
MaxPasswordAge : 60.00:00:00
AppliesTo : {CN=Domain Users,CN=Users,DC=TOSSolution,DC=COM}
DistinguishedName : CN=DomainUsersPSO,CN=Password Settings Container,CN=System,DC=TOSSolution,DC=COM
Get-Command Get-ADUserResultantPasswordPolicy
. Get-ADUser