TechShizz | All posts by rich

Create a Password Security Object (PSO)

Password Security Object


Creating a PSO


Create a Group to apply the PSO to.



Connect to

Go to System

Right Click 'Password Settings Container' > New > Object

Enter PSO Name as cn like 'PSO1'


msDS-PasswordSettingsPrecedence box, type 10. Click Next.

msDS-PasswordReversibleEncryptionEnabled box, type FALSE. Click Next.

msDS-PasswordHistoryLength box, type 6. Click Next.

msDS-PasswordComplexityEnabled box, type FALSE. Click Next.

msDS-MinimumPasswordLength box, type 6. Click Next.

msDS-MinimumPasswordAge box, type 1:00:00:00. Click Next.

msDS-MaximumPasswordAge box, type 20:00:00:00. Click Next.

msDS-LockoutThreshold box, type 2. Click Next.

msDS-LockoutObservationWindow box, type 0:00:15:00

msDS-LockoutDuration box, type 0:00:15:00. Click Next


Done - Now apply the Policy


Ensure advanced features is enabled in Active Directory users and computers.


Go to > system > password settings container > right click PSO1 > Properties

Attribute tab

Find: msDS-PSOAppliesto

Use the pop up to search AD for the group or OU you want to apply to.

Get list of User account expiration dates

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "SamAccountName", @{Name="Password Expiry Date"; Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Active Directory Compaction Script

Compaction Script


ECHO To compact the NTDS.dit file for this domain

ECHO controller ensure you have the following

ECHO folders set up on the c:\


ECHO C:\Temp

ECHO C:\OriginalNTDS



del C:\temp\*.dit

del C:\originalntds\*.dit

net stop ntds /y

ntdsutil "activate instance NTDS" files "compact to C:\temp" quit quit

cd \windows\ntds

del *.log

copy ntds.dit \originalntds

del ntds.dit

copy c:\temp\ntds.dit

ntdsutil "activate instance NTDS" files integrity quit "semantic database analysis" "go fixup" quit quit

ECHO To restart the AD DS press enter.


net start ntds

ECHO Compacting Finished.


Restore AD from backup

To restore AD using this Windows Backup Server needs to be running full backups of the drive with the NTDS.dit file on the DC.


To browse the backups/NTDS snapshots



Activate instance ntds


List all


Identify the backup and copy the GUID to be mounted


Snapshot>Mount {GUID}


You can browse the backup and copy things from it if needed. You can also mount the NTDS file within it.

Note the path of the NTDS.dit file within it for the next part.


Dsamain-dbpath c:\$SNAP_465746_VOLUME_C$\windows\ntds\ntds.dit -ldapport:5000


From a dsa.msc you can now "change domain controller" and look at do.contoso.local:5000 to mount the AD database.


To un-mount


Unmount {GUID}


Restore AD from directory service recovery mode


If an OU or user our group or any object is deleted from AD you will need to perform an authorities restore by rebooting into DRSM


Bcdedit /set safeboot dsrepair


Shutdown /r /t 0


Server reboots


To identify the backup again run


Wbadmin get versions


Copy the version   :dd/mm/yyyy-hh:mm


Run a non-authoritative restore


Wbadmin start systemstaterecovery -version:03/24/2015-18:22


Run an authoritative restore



Act inst ntds

authoritative restore subtree "ou=test,dc=contoso,dc=local"



Reset boot method


Bcdedit /deletevalue safeboot


Shutdown /r /t 0