TechShizz | Tech Guides

Create a Password Security Object (PSO)

Password Security Object


Creating a PSO


Create a Group to apply the PSO to.



Connect to

Go to System

Right Click 'Password Settings Container' > New > Object

Enter PSO Name as cn like 'PSO1'


msDS-PasswordSettingsPrecedence box, type 10. Click Next.

msDS-PasswordReversibleEncryptionEnabled box, type FALSE. Click Next.

msDS-PasswordHistoryLength box, type 6. Click Next.

msDS-PasswordComplexityEnabled box, type FALSE. Click Next.

msDS-MinimumPasswordLength box, type 6. Click Next.

msDS-MinimumPasswordAge box, type 1:00:00:00. Click Next.

msDS-MaximumPasswordAge box, type 20:00:00:00. Click Next.

msDS-LockoutThreshold box, type 2. Click Next.

msDS-LockoutObservationWindow box, type 0:00:15:00

msDS-LockoutDuration box, type 0:00:15:00. Click Next


Done - Now apply the Policy


Ensure advanced features is enabled in Active Directory users and computers.


Go to > system > password settings container > right click PSO1 > Properties

Attribute tab

Find: msDS-PSOAppliesto

Use the pop up to search AD for the group or OU you want to apply to.

Get list of User account expiration dates

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} –Properties "SamAccountName","msDS-UserPasswordExpiryTimeComputed" | Select-Object -Property "SamAccountName", @{Name="Password Expiry Date"; Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}

Creating users in Bulk with PowerShell

Finding Commands


Get-command *AD*





New-ADUser -Path "ou=User Accounts,dc=contoso,dc=com" -Name "Mary North"

-SAMAccountName "mary.north" -UserPrincipalName "[email protected]"

-EmailAddress "[email protected]" -GivenName "Mary" -Surname "North"

-Description "Sales Representative in Australia"

-Company "Contoso, Ltd." -Department "Sales"

-Office "Sydney"


Password Set


-AccountPassword (ConvertTo-SecureString -AsPlainText "Pa$$w0rd" -Force)

-ChangePasswordAtLogon $true -Enabled $true


Piped command


Get-ADUser "mary.north" | Set-ADUser -DisplayName "North, Mary"


Variable Command


$user = Get-ADUser "mary.north"

Set-ADUser $user -EmployeeNumber 12345





$UserList=IMPORT-CSV c:\users\administrator\documents\newusers.csv


# Step through Each Item in the List


FOREACH ($Person in $UserList) {


# Build Username




# Build Password from Firstname and Lastname




# Build the Displayname


$Name=$Person.Firstname+” “+$Person.Lastname


# Build and define Domain name




# Build User Principal Name




# Build and define Home Directory path




# Build and define which Organizational Unit to create User inside




# Create Account in Active Directory (AND HERE...WE...GO!)


New-ADUser -Name $Name –GivenName $Person.Firstname –Surname $Person.Lastname –DisplayName $Name –SamAccountName $Username -HomeDrive "H:" -HomeDirectory $HDrive –UserPrincipalName $UPN -Path $OU


# Set Password


Set-ADAccountPassword -Identity $Username -NewPassword (ConvertTo-SecureString -AsPlainText $Password -Force)


# Add User to Security Groups

Add-ADPrincipalGroupMembership -Identity $Username -MemberOf "Sales","Test"


# Enable Account

Enable-ADAccount -Identity $Username




Restore AD Objects

  • To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet
    Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
    Below is a sample for enabling it for
    Enable-ADOptionalFeature –Identity "CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=domain,DC=com" –Scope ForestOrConfigurationSet –Target
    Once you have the Recycling Bin for Active Directory you will have to use LDP.exe to restore. By default the container with the deleted objects is not displayed. The following steps will allow you to see the container with the deleted objects.

    To display the Deleted Objects container
    1. To open Ldp.exe, click Start, click Run, and then type ldp.exe.
    2. On the Options menu, click Controls.
    3. In the Controls dialog box, expand the Load Predefined pull-down menu, click Return deleted objects, and then click OK.
    4. To verify that the Deleted Objects container is displayed:
      1. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then Bind
      2. Click View, click Tree, and in BaseDN, type DC=<mydomain>,DC=<com>, where <mydomain> and <com> represent the appropriate forest root domain name of your AD DS environment.
      3. In the console tree, double-click the root distinguished name (also known as DN) and locate the CN=Deleted Objects, DC=<mydomain>,DC=<com>container, where <mydomain> and <com> represent the appropriate forest root domain name of your AD DS environment.
        Once you have enabled the container to be displayed, you can now restore deleted objects from Active Directory. Below are the steps to recover a single item from the recycle bin using LDP.exe.
        To restore a deleted Active Directory object using Ldp.exe
    1. Open Ldp.exe from an elevated command prompt. Open a command prompt (Cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.
    2. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.
    3. On the Options menu, click Controls.
    4. In the Controls dialog box, expand the Load Predefined drop-down list, click Return Deleted Objects, and then click OK.
    5. In the console tree, navigate to the CN=Deleted Objects container.
    6. Locate and right-click the deleted Active Directory object that you want to restore, and then click Modify.
    7. In the Modify dialog box:
      1. In Edit Entry Attribute, type isDeleted.
      2. Leave the Values box empty.
      3. Under Operation, click Delete, and then click Enter.
      4. In Edit Entry Attribute, type distinguishedName.
      5. In Values, type the original distinguished name (also known as DN) of this Active Directory object.
      6. Under Operation, click Replace.
      7. Make sure that the Extended check box is selected, click Enter, and then click Run

Authoritative Restore

Restore from DSRM


For this to work Windows Backup must have taken backups for the ntds.dit file.


Browsing the Backups and the NTDS.dit file


Manual Snapshots of the drive can be done from

ntdsutil: act inst ntds

snapshot create

list all


Select the GUID of the backup and Mount it as follows:


Mount {GUID}


You can then browse the snapshot in the c:\


You can then mount the ntds.dit file inside the mounted backup as follows:


Exit ntdsutil and run:


dsamain -dbpath c:\$SNAP_65168161358_VOLUMEC$\Windows\ntds\ntds.dit -ldapport 5000


This will be mounted and then can be accesses from dsa.msc. You need to change domain controller to dc1.contoso.local:5000 to browse the NTDS.dit file.


Performing an Authorative Restore

If an OU or user or whatever needed to be restored authorativly do the following.


Restart DC in DSRM (Directory Services Restore Mode)


Open CMD


bcdedit /set safeboot dsrepair

shutdown /r /t 0