Fine Grained Password Policy PSO

Differences can be attributed to the schema level of the domain and forest.  Adprep changes these, and I have seen environments where a higher level DC was introduced then pulled back for whatever reason.  But schema changes are permanent, so the schema level can be higher than the highest level DC still in the environment.

Another thing to look at is the functional levels of the domain.  You can have 2012 R2 DCs and still have the functional levels at 2003, for example. The functional level must be lower than the *oldest* DC OS in the environment.  Many people retire old DCs but then don't raise the functional level.

Try looking at the password policy object using the Administrative Center or a 3rd party app like Hyena.  ADSIEdit is not a friendly way to deal with PSOs.

OK, I had a feeling that was important.  note the short list is 2012 and long list is 2008 R2 level.  is there something else I should look for?  2008 R2 level seems to have more abilities.  

Newer adds more abilities. I can't think of any that we're taken away from 2008 R2, to 2012 R2. So not sure why you think 2008R2 has more features.

I understand abilities are added with each revision.  Attributes in the Fine-Grained-Password Policy must have been reduced for another reason.

Look to see if you have the msDS-xxx attributes, as these are where the PSO settings are stored.  Like I said, nothing has changed.  If you are not going to use a GUI to manage the PSO, look at the objectclass attribute.  In your original screenshot, you have shown all of the attributes defined for the object's parent, so most are <not set>, you need to scroll down to see the ones that are 'missing'.

Indeed you are correct. Logging in as the built-in administrator vs member of administrators group changed the quantity of visible attributes on Customer B's site to the appearance of Customer A.  Thank you