Q: When using fine-grained password policies, how can I check what policy is being applied to a specific user?

A: Fine-grained password policies are a great new feature in Windows Server 2008. They allow different security policies related to password and lockout configuration to be applied to users based on the groups a user is in, instead of one policy for the entire domain.

To check which Password Setting Object is being applied to a user, run the following command on a domain controller (DC):

dsquery user -samid <username> | dsget user -effectivepso

Here’s an example of how it would run on a particular DC: C:\Users\administrator.SAVILLTECH>dsquery user -samid john |dsget user –effectivepso.
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.