Jorge 's Quest For Knowledge! : Determining the Effective PSO for a User

Tuesday, September 11, 2007 11:43 PM Jorge

Determining the Effective PSO for a User

In "Windows Server 2008 - Fine-Grained Password Policies" I explain the new password and account lockout feature/concept in Windows Server 2008. When using ADUC it is interesting to know what PSO is effective from some user, and better yet, what the settings are from that effective PSO. Of course you could use the new "Attribute Editor", and look at the value of the "msDS-ResultantPSO" attribute. After knowing that you to go into to "Password Settings Container". As explained in the previous post about FGPP you need to have at least ALLOW:read permissions on a PSO to be able to retrieve its settings. By default only "Enterprise Admins" and "Domain Admins" have that permission. Also as explained in the post, you can configure a certain group to be able to read PSO settings.

Assuming the permissions are in place, you could also write your own tool/script to retrieve the effective PSO and its settings. Stop! Don't do that. Somebody else already created a kick a$$ tool to manage/read/create/delete PSOs. Well have a look at PSOMGR from joeware.net.

What I did was to adjust the admin contextmenu for user objects and add a new option. That option performs retrieves the effective PSO and reads the that PSO's settings. When choosing that action a script is executed which runs the tool and shows you the info. Have a look at the picture below.

To create the new context option for user objects, execute the following:

ADMOD -replacedn XXX-CONFIG-XXX:_config -b "CN=user-Display,CN=409,CN=DisplaySpecifiers,XXX-CONFIG-XXX" "adminContextMenu:+:99,Effective PSO Settings,D:\TOOLS\CONFIG\COMMON\Effective-PSO-On-User-Object.vbs"

Change "409" into the locale of the OS you are using. 409 is US English

Change "Effective PSO Settings" into whatever name the contextmenu option should have

Change "D:\TOOLS\CONFIG\COMMON\Effective-PSO-On-User-Object.vbs" into a central network location where you can find the script "Effective-PSO-On-User-Object.vbs" (that location must be available from whatever computer doing this)

The contents of "Effective-PSO-On-User-Object.vbs" is:

Option Explicit

Dim WshShell
Dim wshArguments, objRootDSE
Dim strDomainControllerFLnum, strDomainFLnum
Dim strUser, Return
On Error Resume Next

Const cPSOMGR = "D:\TOOLS\MISC\PSOMgr.exe" ' CHANGE THIS TO A CENTRAL LOCATION WHERE YOU CAN FIND PSOMGR

Set WshShell = Wscript.CreateObject("Wscript.Shell")
Set objFSO = CreateObject("Scripting.FileSystemObject")

Set wshArguments = WScript.Arguments
Set objRootDSE = GetObject("LDAP://RootDSE")

strDomainControllerFLnum=objRootDSE.Get("domainControllerFunctionality")
strDomainFLnum=objRootDSE.Get("domainFunctionality")

If Int(strDomainControllerFLnum) < "3" Then
    Wscript.Echo("This feature can only be used on W2K8 DCs! The script will now stop.")
    Call srClearDimVars()
    Wscript.Quit(1)
End If

If Int(strDomainFLnum) < "3" Then
    Wscript.Echo("This feature can only be used on W2K8 DCs when the domain functional level is at least 'Windows Server 2008'! The script will now stop.")
    Call srClearDimVars()
    Wscript.Quit(1)
End If

If objFSO.FileExists(cPSOMGR) Then
Else
    Wscript.Echo("The file location '" & cPSOMGR & "' does not exist! The script will now stop.")
    Call srClearDimVars()
    Wscript.Quit(1)
End If

strUser = Right(wshArguments(0), Len(wshArguments(0))-Instr(wshArguments(0),"CN=")+1)

Return = WshShell.Run("CMD /C" & cPSOMGR & " /EFFECTIVE " & Chr(34) & strUser & Chr(34) & " " & Chr(38) & " PAUSE", 1, true)

Sub srClearDimVars()
    On Error Resume Next
    Set WshShell = Nothing
    Set wshArguments = Nothing
    Set objRootDSE = Nothing
    Set strDomainControllerFLnum = Nothing
    Set strDomainFLnum = Nothing
    Set strUser = Nothing
    Set Return = Nothing
End Sub

UPDATE:

Interesting to know is that you can also use DSGET to retrieve the effective PSO on a user object

dsget user <User-DN> -effectivepso

Also see: Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration

Cheers,

Jorge

--------------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
--------------------------------------------------------------------------------------------------
############### Jorge's Quest For Knowledge ###############
######## http://blogs.dirteam.com/blogs/jorge/default.aspx #########
--------------------------------------------------------------------------------------------------

Filed under: Windows Server, Active Directory

Comments

# pso script

Thursday, June 05, 2008 2:54 AM by pso script

PingBack from http://luisnews.100megsfree8.com/psoscript.html

# Video e risorse sulla nuova funzionalità "fine-grained password policies" di Windows Server 2008

Monday, June 30, 2008 5:54 AM by Security Blog di Feliciano Intini

In questi giorni, per puro caso, mi sono capitate tra le mani una serie di risorse che permettono di

Anonymous comments are disabled

Jorge 's Quest For Knowledge!

Search

Tags

News

Navigation

Archives

DISCLAIMER

Guess who?

Interesting Places

Other BLOGS

Determining the Effective PSO for a User

Comments

# pso script

# Video e risorse sulla nuova funzionalità "fine-grained password policies" di Windows Server 2008