Fine Grained Password Policy PSO

Long listShort list
Hi. I ran this same command at two different customers to create a fine grained Password policy.  in ADSIEDIT, We see differing quantities of available attributes.  One of those attributes that exists at Customer A, is missing at Customer B's site is the "AppliesTo" attribute, which is needed.    does anyone know why they differ?

Both running 2012 R2 Domain controllers.  I tried to generate forestlevel but says "Referral was returned from the server"

New-ADFineGrainedPasswordPolicy -Name "FineGrainedPSO" -Precedence 500 -ComplexityEnabled $true -Description "Fine-Grained Password Policy"-DisplayName "Fine-Grained Password Policy" -LockoutDuration "0.12:00:00" -LockoutObservationWindow "0.00:15:00" -LockoutThreshold 7 -MaxPasswordAge "155.00:00:00" -MinPasswordAge "2.00:00:00" -MinPasswordLength 8 -PasswordHistoryCount 5 -ReversibleEncryptionEnabled $false

Open in new window

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Cliff GaliherCommented:
Differences can be attributed to the schema level of the domain and forest.  Adprep changes these, and I have seen environments where a higher level DC was introduced then pulled back for whatever reason.  But schema changes are permanent, so the schema level can be higher than the highest level DC still in the environment.

Another thing to look at is the functional levels of the domain.  You can have 2012 R2 DCs and still have the functional levels at 2003, for example. The functional level must be lower than the *oldest* DC OS in the environment.  Many people retire old DCs but then don't raise the functional level.
Kevin StanushApplication DeveloperCommented:
Try looking at the password policy object using the Administrative Center or a 3rd party app like Hyena.  ADSIEdit is not a friendly way to deal with PSOs.
csg-unitAuthor Commented:
OK, I had a feeling that was important.  note the short list is 2012 and long list is 2008 R2 level.  is there something else I should look for?  2008 R2 level seems to have more abilities.  Customer A forest - Long List of AttributesCustomer B forest - Short List of Attributes
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Cliff GaliherCommented:
Newer adds more abilities. I can't think of any that we're taken away from 2008 R2, to 2012 R2. So not sure why you think 2008R2 has more features.
Kevin StanushApplication DeveloperCommented:
The fine grained password options have not changed since introduced.  2012 does not have any additional capabilities. Make sure you have the Advanced Features option enabled and are running as an Admin (ie 'Run As Administrator') as missing the Attribute Editor and Security tabs are good indicator that security is blocking some of the attributes from being visible.  Or, the PSO wasn't setup properly.

But your screen shot is not of the PSO anyway.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
csg-unitAuthor Commented:
I understand abilities are added with each revision.  Attributes in the Fine-Grained-Password Policy must have been reduced for another reason.
Kevin StanushApplication DeveloperCommented:
Look to see if you have the msDS-xxx attributes, as these are where the PSO settings are stored.  Like I said, nothing has changed.  If you are not going to use a GUI to manage the PSO, look at the objectclass attribute.  In your original screenshot, you have shown all of the attributes defined for the object's parent, so most are <not set>, you need to scroll down to see the ones that are 'missing'.
csg-unitAuthor Commented:
Indeed you are correct. Logging in as the built-in administrator vs member of administrators group changed the quantity of visible attributes on Customer B's site to the appearance of Customer A.  Thank you
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2012

From novice to tech pro — start learning today.