Help with ADSI edit

I am working my way through a UK government document that details various recommended group policy settings to ensure our system meets their guidelines.

I have reached a section that I am not familiar with. I think I need to use ADSIedit here.

It says :

CN=System > CN=Password Settings Container > CN=Granular Password Settings Users

It then details various settings.

I found the first two CNs and then manually created the "Granular Password Settings Users" object.

I then added the settings it suggested but at the bottom it says that I need to apply this to Domain Users.

How do I apply these settings to domain users? I then have a similar selection of settings that should apply to Domain Admins.
LVL 1
roy_battyDirectorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

FOXActive Directory/Exchange EngineerCommented:
Roy,
In Group Policy Management double click on the policy >delegation tab>Add Domain Admins(if they are not there) click the advanced button and highlight Domain admins again.  In the bottom pain click Apply group policy on the "Allow" side
0
roy_battyDirectorAuthor Commented:
I appreciate that I can do this with GPOs but how does this apply the settings I created in ADSIedit?
0
FOXActive Directory/Exchange EngineerCommented:
I'm sorry, I misinterpreted what you stated. In ADsiedit Right-click the "Granular Password Settings Users" object you created>Properties>Security tab.  Add Domain Admins if they are not there.  Highlight Domain Admins, at the bottom Permissions for Domain Admins(scroll down until you see "Apply group Policy" put a tick inside Allow
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

roy_battyDirectorAuthor Commented:
OK. I cant see "Apply group Policy" in the security tab or in advanced either.
0
FOXActive Directory/Exchange EngineerCommented:
In ADsiedit, the new policy you created, right-click that and click properties.  The next box will have a security tab.  You are not able to see any of that?
0
roy_battyDirectorAuthor Commented:
I can see the security tab and Domain Admins is already in there but when I scroll down I cant see a check box marked "Apply group policy"
0
FOXActive Directory/Exchange EngineerCommented:
Highlight Domain Admins then click edit
0
David McIntoshCommented:
I know the document you are referring to and this is not a GPO despite the heading name on the column. These policies are Password policies assigned to groups and replicated throughout the domain in AD's configuration partition, you create one policy for users and one for administrators,

To apply these policies to the group you view the attributes of the object just created, browse to the msDS-PSOAppliesTo attribute and set the property to the DN of the user/s or global security group/s   i.e CN=Domain Admins,CN=Users,DC=DOMAIN,DC=Local.

(This can also be set in ADUC, set view to Advanced, browse to system> password settings container> view the properties on the object and go to the attribute editor tab)

If multiple policies apply to a user account the msDS-ResultantPSO attribute on the user account will show you which policy wins, and the msDS-PSOApplied attribute to view which policy is applied to a user account.

A fare bit of doco is provided by MS for this https://technet.microsoft.com/en-us/library/cc770842(v=ws.10).aspx
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
FOXActive Directory/Exchange EngineerCommented:
Roy,
I was able to do it where I mentioned to you because I have Enterprise and Schema admin rights.  If you don't have those rights you may have to reference the document David posted to get your end result.
0
roy_battyDirectorAuthor Commented:
Great thanks for the help
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.