Get the resultant password policy for a user.

      Get-ADUserResultantPasswordPolicy [-Identity] ADUser
         [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
            [-Partition string] [-Server string] [CommonParameters]

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "User64" or "Domain01\User64" or a PSCredential object.

   -Identity ADUser
       Specify an AD user object by providing one of the following values.
       (The identifier in parentheses is the LDAP provider name for the attribute.)

          Distinguished Name 
            Example: CN=GailMoss,OU=europe,CN=users,DC=corp,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c4d2e-f72d-4d20-8a78-030d69495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-5165297888-301467370-576410423-1803
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: GailMoss

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

   -Partition string
       The distinguished name of an AD partition.
       The distinguished name must be one of the naming contexts on the current
       directory server. The cmdlet searches this partition to find the object defined by
       the -Identity parameter. 
       The following two examples show how to specify a value for this parameter.
          -Partition "CN=Configuration,DC=EUROPE,DC=TEST,DC=SS64,DC=COM"
          -Partition "CN=Schema,CN=Configuration,DC=EUROPE,DC=TEST,DC=SS64,DC=COM"
       In many cases, a default value will be used for -Partition if no value is specified.

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number) or AD Snapshot instance.

       Examples:  demo

Get-ADAccountResultantPasswordPolicy gets the resultant password policy object (RSoP) for a user.

The -Identity parameter specifies the AD user. This can be a distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. The identity may also be set with a user object variable, or passed through the pipeline.

A user can be associated with multiple password Policy Objects (PSOs), but only one PSO is the RSoP.
A PSO is associated with a user when the PSO applies directly to the user or when the PSO applies to an AD group that contains the user.

The resultant password policy gives preference to password policy objects that are applied directly to the user.

When more than one PSO policy applies directly to a user, the RSoP will consider the msDS-PasswordSettingsPrecedence attribute value. The lowest attribute value represents the highest PSO precedence.

The RSoP is defined by the AD attribute msDS-ResultantPSO.


Get the resultant password policy for the user with samAccountName 'GailMoss':

PS C:\> Get-ADUserResultantPasswordPolicy GailMoss

“However beautiful the strategy, you should occasionally look at the results” ~ Winston Churchill

Related PowerShell Cmdlets

Get-adFineGrainedPasswordPolicy - Get one or more AD fine-grained password policies.
Set-adFineGrainedPasswordPolicy - Modify an AD fine-grained password policy.

Copyright © 1999-2023
Some rights reserved