PSO’s (Password Setting Objects) is another name for Fine Grain Password Policy. A PSO allows an organization to have different password policies based on a security group. That means that unlike in an Windows 2003 domain where all password meet the same rules, in a 2008 domain you can have multiple rules for your passwords.
The code below allows you two obtain a list of all user accounts that have a PSO assigned to and that PSO is. It is designed to be used as a function or dot sourced into PowerShell.
<#
.SYNOPSIS
Returns a list of user names and there PSO.
.DESCRIPTION
Returns a list of user names and the Resultant
PSO that is currently in effect on that user.
.EXAMPLE
Get-PSOUsers
Returns a list to the pipeline of the username and the
PSO currently in effect on the user account.
.EXAMPLE
Get-PSOUsers | Sort-Object PSO
Returns a list of users with assigned PSO's, sorted
by the PSO.
Name PSO
---- ---
John Yokim CN=IT PSO,CN=Password Settings C...
Ofer Daliot CN=IT PSO,CN=Password Settings C...
Dave Barnett CN=IT PSO,CN=Password Settings C...
Neville Burdan CN=IT PSO,CN=Password Settings C...
#>
function Get-PSOUsers
{
Import-Module ActiveDirectory -Cmdlet Get-ADUser
# Get a list of user accounts and also pull the # attribute msDs-ResultantPSO. Also, rename the # msDs-ResultantPSO so it can be processed.
$UserList = Get-AdUser -filter * -property msDS-ResultantPSO | Select name, @{Name="ResultantPSO";Expression={$_."msDS-ResultantPSO"}}
# Create the object to hold the output of this function.
$UserObj = @()
# Loop through each user object and filter # out those do not have a value in the # msDs-ResultantPSO field.
foreach ($User in $UserList)
{
if ($User.ResultantPSO -Like "*Password*")
{
# If there is a value in the msDS-ResultantPSO
# than add it to the output.
$UObj = New-Object PSObject
$UObj | Add-Member NoteProperty -Name Name -Value $User.Name
$UObj | Add-Member NoteProperty -Name PSO -Value $User.ResultantPSO
$UserObj += $UObj
}
}
Comments