This is the built-in help made by Microsoft for the command 'Get-ADUserResultantPasswordPolicy', in PowerShell version 5 - as retrieved from
Windows version 'Microsoft Windows Server 2012 R2 Standard' PowerShell help files on 2016-06-23.
For PowerShell version 3 and up, where you have Update-Help, this command was run just before creating the web pages from the help files.
Gets the resultant password policy for a user.
Get-ADUserResultantPasswordPolicy [-Identity] <ADUser> [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Partition <String>] [-Server <String>]
[<CommonParameters>]
The Get-ADUserResultantPasswordPolicy cmdlet gets the resultant password policy object (RSoP) for a user. The RSoP is defined by the Active Directory attribute named
msDS-ResultantPSO.
A user can have multiple password policy objects (PSOs) associated with it, but only one PSO is the RSoP. A PSO is associated with a user when the PSO applies directly to
the user or when the PSO applies to an Active Directory group that contains the user. When more than one PSO policy is associated with a user or group, the RSoP value
defines the PSO to apply.
The resultant password policy or RSoP for a user is determined by using the following procedure:
-- If only one PSO is associated with a user, this PSO is the RSoP.
-- If more than one PSO is associated with a user, the PSO that applies directly to the user is the RSoP.
-- If more than one PSO applies directly to the user, the PSO with the lowest msDS-PasswordSettingsPrecedence attribute value is the RSoP and this event is logged as a
warning in the Active Directory event log. The lowest attribute value represents the highest PSO precedence. For example, if the msDS-PasswordSettingsPrecedence values of
two PSOs are 100 and 200, the PSO with the attribute value of 100 is the RSoP.
-- If there are no PSOs that apply directly to the user, the PSOs of the global security groups that have the user as a member are compared. The PSO with the lowest
msDS-PasswordSettingsPrecedence value is the RSoP.
The Identity parameter specifies the Active Directory user. You can identify a user by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts
Manager (SAM) account name. You can also set the parameter to a user object variable, such as $<localUserObject> or pass a user object through the pipeline to the Identity
parameter. For example, you can use the Get-ADUser cmdlet to retrieve a user object and then pass the object through the pipeline to the Get-ADUserResultantPasswordPolicy
cmdlet.
<
Online Version: http://go.microsoft.com/fwlink/p/?linkid=291055
Get-ADUser
<
-------------------------- EXAMPLE 1 --------------------------
PS C:\>Get-ADUserResultantPasswordPolicy -Identity BobKe
Name : DomainUsersPSO
ComplexityEnabled : True
LockoutThreshold : 10
ReversibleEncryptionEnabled : False
LockoutDuration : 12:00:00
LockoutObservationWindow : 00:15:00
MinPasswordLength : 8
Precedence : 500
ObjectGUID : f8d2653c-9b3b-499e-b272-4c7f4268df4c
ObjectClass : msDS-PasswordSettings
PasswordHistoryCount : 24
MinPasswordAge : 1.00:00:00
MaxPasswordAge : 60.00:00:00
AppliesTo : {CN=Domain Users,CN=Users,DC=FABRIKAM,DC=COM}
DistinguishedName : CN=DomainUsersPSO,CN=Password Settings Container,CN=System,DC=FABRIKAM,DC=COM
This command gets the resultant password policy for the user with samAccountName BobKe.