(2007-09-11) Determining The Effective PSO For A User
Posted by Jorge on 2007-09-11
In "Windows Server 2008 – Fine-Grained Password Policies" I explain the new password and account lockout feature/concept in Windows Server 2008. When using ADUC it is interesting to know what PSO is effective from some user, and better yet, what the settings are from that effective PSO. Of course you could use the new "Attribute Editor", and look at the value of the "msDS-ResultantPSO" attribute. After knowing that you to go into to "Password Settings Container". As explained in the previous post about FGPP you need to have at least ALLOW:read permissions on a PSO to be able to retrieve its settings. By default only "Enterprise Admins" and "Domain Admins" have that permission. Also as explained in the post, you can configure a certain group to be able to read PSO settings.
Assuming the permissions are in place, you could also write your own tool/script to retrieve the effective PSO and its settings. Stop! Don’t do that. Somebody else already created a kick a$$ tool to manage/read/create/delete PSOs. Well have a look at PSOMGR from joeware.net.
What I did was to adjust the admin contextmenu for user objects and add a new option. That option performs retrieves the effective PSO and reads the that PSO’s settings. When choosing that action a script is executed which runs the tool and shows you the info. Have a look at the picture below.
To create the new context option for user objects, execute the following:
- ADMOD -replacedn XXX-CONFIG-XXX:_config -b "CN=user-Display,CN=409,CN=DisplaySpecifiers,XXX-CONFIG-XXX" "adminContextMenu:+:99,Effective PSO Settings,D:\TOOLS\CONFIG\COMMON\Effective-PSO-On-User-Object.vbs"
- Change "409" into the locale of the OS you are using. 409 is US English
- Change "Effective PSO Settings" into whatever name the contextmenu option should have
- Change "D:\TOOLS\CONFIG\COMMON\Effective-PSO-On-User-Object.vbs" into a central network location where you can find the script "Effective-PSO-On-User-Object.vbs" (that location must be available from whatever computer doing this)
The contents of "Effective-PSO-On-User-Object.vbs" is:
Option Explicit Dim WshShell Dim wshArguments, objRootDSE Dim strDomainControllerFLnum, strDomainFLnum Dim strUser, Return On Error Resume Next Const cPSOMGR = "D:\TOOLS\MISC\PSOMgr.exe" ' CHANGE THIS TO A CENTRAL LOCATION WHERE YOU CAN FIND PSOMGR Set WshShell = Wscript.CreateObject("Wscript.Shell") Set objFSO = CreateObject("Scripting.FileSystemObject") Set wshArguments = WScript.Arguments Set objRootDSE = GetObject("LDAP://RootDSE") strDomainControllerFLnum=objRootDSE.Get("domainControllerFunctionality") strDomainFLnum=objRootDSE.Get("domainFunctionality") If Int(strDomainControllerFLnum) < "3" Then Wscript.Echo("This feature can only be used on W2K8 DCs! The script will now stop.") Call srClearDimVars() Wscript.Quit(1) End If If Int(strDomainFLnum) < "3" Then Wscript.Echo("This feature can only be used on W2K8 DCs when the domain functional level is at least 'Windows Server 2008'! The script will now stop.") Call srClearDimVars() Wscript.Quit(1) End If If objFSO.FileExists(cPSOMGR) Then Else Wscript.Echo("The file location '" & cPSOMGR & "' does not exist! The script will now stop.") Call srClearDimVars() Wscript.Quit(1) End If strUser = Right(wshArguments(0), Len(wshArguments(0))-Instr(wshArguments(0),"CN=")+1) Return = WshShell.Run("CMD /C" & cPSOMGR & " /EFFECTIVE " & Chr(34) & strUser & Chr(34) & " " & Chr(38) & " PAUSE", 1, true) Sub srClearDimVars() On Error Resume Next Set WshShell = Nothing Set wshArguments = Nothing Set objRootDSE = Nothing Set strDomainControllerFLnum = Nothing Set strDomainFLnum = Nothing Set strUser = Nothing Set Return = Nothing End Sub
Interesting to know is that you can also use DSGET to retrieve the effective PSO on a user object
- dsget user <User-DN> -effectivepso
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
############### Jorge’s Quest For Knowledge #############