Information Technology Reference
In-Depth Information
The lower the precedence of the PSO, the higher the priority. If a user is subject to two
PSOs, one with a precedence of 50 and one with a precedence of 100, the PSO with a
precedence of 50 will be the password setting that is applied to the user.
Removing a pSO
You can remove a PSO with Remove-ADFineGrainedPasswordPolicy or by using the Active
Directory Administrative Center. When you remove a policy, any groups that have the policy
assigned to them revert to the appropriate GPO policy (usually the Default Domain Policy) or
to the lowest-precedence PSO if the group had multiple PSOs assigned to it.
To delegate the ability to set passwords, follow these steps:
Open Active Directory Users and Computers.
1.
Select the OU or container for which you want to delegate control.
2.
Right-click and choose Delegate Control to open the Delegation of Control Wizard.
3.
4.
Click Next on the opening screen and then click Add on the Users Or Groups page.
5.
In the Select Users, Computers, Or Groups dialog box, enter the group to which you
want to delegate control. Click Check Names to verify that it is typed correctly, or click
Advanced to search for the user or group of users.
6.
Click OK to return to the Users Or Groups page of the Delegation Of Control Wizard.
Click Next to open the Tasks To Delegate page, as shown in Figure 5-30.
7.
FIGURE 5-30
The Tasks To Delegate page of the Delegation of Control Wizard
Select Reset User Passwords And Force Password Change At Next Logon, click Next,
and then click Finish.
8.
