I finished V01.00.00 of PSOMgr yesterday. PSOMgr is a command line utility I built to help manage Fine Grain Password Policy Password Settings Objects that are present in Longhorn Server Active Directory. I also set it up to manage Domain Password Policy Settings as well.
If you didn’t read my previous info on FGPP then you can check that out here – http://blog.joeware.net/2007/03/18/828/
The goal was to have it ready for the Directory Experts Conference 2007 for release at the conference during the Longhorn Workshop on Sunday. The conference attendees will receive a special link to download the utility about a week before the general public can download it. That probably isn’t terribly enticing for many because Longhorn is still in beta and won’t be released until at least the end of this year, but don’t forget, PSOMgr can be used for displaying and modifying your domain password policy as well… But if you don’t go to DEC you have to wait a whole week more than you would have to wait if you were at DEC.
Here is sample output showing the current domain policy for both domains in my Longhorn test forest. Note that this will work on any Active Directory forest regardless of OS level of the Active Directory.
F:\Dev\BDSCPP\PSOMgr\Release_Build>psomgr /h lhb2-dc1 /view /dompol /alldoms
PSOMgr V01.00.00cpp Joe Richards (joe@joeware.net) April 2007
Using host: Default-First-Site-Name\LHB2-DC1.lhtest.loc
Retrieving Domain Policy...
Policy Listing
--------------
Policy #1
Type : Domain Policy
Domain : lhchild.lhtest.loc
Policy Precedence : 2147483647
DN : DC=lhchild,DC=lhtest,DC=loc
Name : lhchild
Canonical Name : lhchild.lhtest.loc/
Display Name : lhchild
Lockout Threshold : 0
Lockout Duration : 30
Lockout Observation: 30
Min Pwd Age : 1
Max Pwd Age : 42
Min Pwd Length : 7
Pwd History : 24
Pwd Complexity : TRUE
Pwd Reversible : FALSE
Policy #2
Type : Domain Policy
Domain : lhtest.loc
Policy Precedence : 2147483647
DN : DC=lhtest,DC=loc
Name : lhtest
Canonical Name : lhtest.loc/
Display Name : lhtest
Lockout Threshold : 0
Lockout Duration : 30
Lockout Observation: 30
Min Pwd Age : 0
Max Pwd Age : 91
Min Pwd Length : 7
Pwd History : 24
Pwd Complexity : TRUE
Pwd Reversible : FALSE
The command completed successfully.
Here is the usage info for the utility:
PSOMgr V01.00.00cpp Joe Richards (joe@joeware.net) April 2007
-help Help.
-? Help.
Usage:
PSOMgr [switches]
Switches: (designated by - or /)
[CONNECTION OPTIONS]
-h host Host to use. Defaults to default Domain Controller
[ACTION OPTIONS]
-view View PSOs and/or Domain Policies.
-rename xxx Rename PSO to new name xxx. Select PSO to rename with
selection criteria below. Best to specify -pso PSO_DN
-del Delete PSO. Select PSO to delete with selection criteria
below. Best to specifify -pso PSO_DN
-multidel Delete multiple PSOs. Select PSOs to delete with selection
criteria below.
DELETE NOTES:
o By default you cannot delete a PSO that has a member
assigned to it. Use -override to override.
-quickstart Quickstart mode to create several base PSOs automatically.
Will generate a copy of the domain policy as a PSO, will
also generate a fixed list of additional common PSOs. If you
would like to generate copies of the domain policies for
every domain in the forest in the specified domain, use the
-alldoms switch. This could be useful for domain collapse.
-effective xxx Display effective policy information for user xxx. The
xxx value could be specified as SAM Name, UPN, or DN.
-applyto xxx Apply policy specified with criteria to object specified
in xxx, could be SAM Name, UPN, or DN.
-unapplyto xxx Same as -applyto but unapplies.
-clearapplied Clear all members from PSO assignment. Specify PSO with
with selection criteria.
-applied Show objects that the PSO is applied to. Specify PSO(s) with
selection criteria. Will only show members from the same domain
as they are the only ones that will be effective. Format of
output:
resultantflag[objecttype] DN (SamName | UPN)
The resultantflag field could be
empty for non-user type objects
+ if resultant policy is the same as displayed policy.
- if resultant policy is different from displayed policy.
-add xxx Add PSO with selected attributes in xxx. Specify domain to
create PSO in with -domain switch.
ADD NOTES:
o Format of xxx is specified below in ADD/MOD NOTES.
o By default if you specify a PSO that matches the policy
settings of an existing PSO it will disallow the add
operation and let you know what that PSO's DN is.
-mod xxx Modify PSO with selected new attributes in xxx. Specify PSO
with selection criteria, preferably PSO DN.
MOD NOTES:
o Format of xxx is specified below in ADD/MOD NOTES.
-forreal Really do any actions that make changes.
ADD/MOD NOTES:
The -add and -mod switches are probably the most complex in this
utility because of the amount of information that can be specified.
There are 12 pieces of information needed to create a PSO. To keep
things consistent the same format is used for -mod. The fields are:
name - Required for add. Not req'd for mod, will rename PSO.
displayname - Not required for add nor mod. Defaults to name.
precedence - Precedence of policy, required for add. Lowest wins.
maxpwdage - Max password Age in days. Not required, default value.
minlength - Min password length. Not required, default value.
history - password history count. Not required, default value.
lo_count - Lockout Threshold. Not required, default value.
lo_duration - Lockout Duration in mins. Not required, default value.
lo_observe - Lockout Observation in mins. Not required, default value.
minpwdage - Min password Age in days. Not required, default value.
complexity - Password complexity (true/false). Not required, default value.
reversible - Password reversible (true/false). Not required, default value.
The default format for specifying the info is a single colon delimited string:
name:displayname:precedence:maxpwdage:minlength:history:lo_count:
lo_duration:lo_observe:minpwdage:complexity:reversible
To make this simpler, not all values need to be specified this way,
most of the fields have default values if you want to accept them. If
you want to find out what the default values are, specify -add with
the few required attributes but don't specify -forreal and PSOMgr will
tell you all of the values. There are also 'override' switches to allow
you to specify specific fields with additional switches. If these
are used you just have to specify the first 4 fields for an add in
colon delimited format.
-lockout threshold:duration:observation
-pwdage max:min
-pwdlen minlength
-pwdhist historycount
-pwdcomplex (true|false)
-pwdreverse (true|false)
[SELECTION CRITERIA OPTIONS]
-pso [xxx] Specify a specific PSO with name/displayname xxx or with
no specified xxx to view all PSOs.
-dompol Specifies Domain Policy.
-allpwdpols Specifies both domain policy and PSOs.
-alldoms Look at all domains in forest.
-domain xxx Policy for Domain xxx.
-used Only PSOs that have members applied to them.
-unused Only PSOs that do not have members applied to them.
[AUTHENTICATION OPTIONS]
-u id Userid authentication. AD simple bind supports All ID
formats and secure bind only supports ID formats 1 and 2.
No userid specified indicates anonymous authentication.
ID Formats
1. domain\userid
2. user@domain.com (userPrincipalName)
3. cn=user,ou=someou,dc=domain,dc=com (DN)
-up pwd Password for specified userid. * indicates to ask for password.
-simple Simple Bind
[OUTPUT OPTIONS]
-dn Only display PSO DNs
-dnprec For view action, display PSO and precedence only.
-v Verbose output, give more info about what is going on.
-sort xxx Change sort order output.
xxx = precedence - Sort by domain + policy precedence.
default sort - Sort by type + canonicalName.
Examples:
View Examples
psomgr /view /dompol
View domain policy of default domain.
psomgr /view /pso
View PSOs in default domain.
psomgr /view /pso /domain domx
View PSOs in domain domx.
psomgr /view /pso /used
View used PSOs in default domain.
psomgr /view /pso /unused
View unused PSOs in default domain.
psomgr /view /pso test
View PSO with name,displayname, or admindisplayname of test
in default domain.
psomgr /view /allpwdpols
View all password policies in default domain.
psomgr /view /pso /alldoms
View PSOs in all domains in forest.
psomgr /view /dompol /alldoms
View domain policies in all domains.
psomgr /view /allpwdpols /alldoms
View all password policies in all domains.
psomgr /view /allpwdpols /alldoms /h serverx
View all password policies in all domains, use serverx as
a starting point.
psomgr /view /allpwdpols /alldoms /h serverx /sort precedence
View all password policies in all domains, use serverx as
a starting point and sort by policy precedence.
Add Examples
psomgr /add newpso10::1 /lockout 99:99:99 /pwdage 100:100
/pwdcomplex TRUE /pwdreverse true /pwdlen 101
Add PSO newpso10 with precedence of 1 and other specified values.
Will NOT create since /forreal is not specified.
psomgr /add newpso10::1 /lockout 99:99:99 /pwdage 100:100
/pwdcomplex TRUE /pwdreverse true /pwdlen 101 /forreal
Add PSO newpso10 with precedence of 1 and other specified values.
This will really create the PSO.
psomgr /add testpso-1::1000
Add PSO newpso-1 with precedence of 1, use defaults for the rest.
Will NOT create since /forreal is not specified.
psomgr /add testpso-1::1000 /forreal
Add PSO newpso-1 with precedence of 1, use defaults for the rest.
This will really create the PSO.
psomgr /add testpso-1::1000:100:6:30:50:1:1:0:true:true
Add PSO newpso-1 with specified values. Will not really create.
psomgr /add testpso-1::1000:100:6:30:50:1:1:0:true:true /forreal
Add PSO newpso-1 with specified values. Will create.
Delete / MultiDelete Examples
psomgr /del /pso pso-1
Delete PSO pso-1 in default domain... But not really.
psomgr /del /pso pso-1 /forreal
Delete PSO pso-1 in default domain...
psomgr /multidel /pso /forreal
Delete all unused PSO's in default domain...
psomgr /multidel /pso /forreal /override
Delete all (used and unused) PSO's in default domain...
psomgr /domain domx /multidel /pso test* /forreal
Delete all unused PSOs that start with test in domain domx...
Rename Examples
psomgr /rename newname-1 /pso oldpsoname /forreal
Rename oldpsoname to newname1.
Modification Examples
psomgr /dompol /mod :::42:7:24:0:30:30:1:true:false /forreal
Modify domain policy with specified values.
psomgr /mod /dompol /lockout 50:2:2 /pwdage 91:0 /pwdlen 10 /forreal
Modify domain policy with specified values.
psomgr /mod /pso testpol /lockout 50:2:2 /pwdage 91:0 /pwdlen 10 /forreal
Modify PSO testpol with specified values.
Quick Start Examples
psomgr /quickstart
Quick Start PSOs for default domain. But not for real, just see what
it would do.
psomgr /quickstart /forreal
Quick Start PSOs for default domain.
psomgr /quickstart /domain domx /forreal
Quick Start PSOs for domain domx.
psomgr /quickstart /alldoms /forreal
Quick Start PSOs for default domain but create PSOs for the password
policy from every domain.
Applied Examples
psomgr /applied /pso
Show membership applied to every PSO in default domain.
psomgr /applied /used /pso
Show membership applied to every used PSO in default domain.
Clear Applied Examples
psomgr /clearapplied /pso mypso /forreal
Clear all members of the PSO mypso.
Apply To / Unapply To Examples
psomgr /applyto myuser /pso somepso /forreal
Add myuser to policy somepso.
psomgr /unapplyto myuser /pso somepso /forreal
Remove myuser from policy somepso.
Effective Examples
psomgr /effective joeuser
Show applied policies and the effective policy of joeuser.
This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system. Use of
this utility signifies acceptance of this warranty and acceptance of all risk.
See full Warranty documentation on www.joeware.net.
You ARE licensed the right to use this software on your own systems.
You explicitly ARE NOT licensed the right to distribute this software. If
you have a need to license the right to distribute, please email me
for licensing costs and guidelines.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at joe@joeware.net
