3.1.1.4.5.36 msDS-ResultantPSO
The msDS-ResultantPSO attribute exists on AD DS on Windows Server 2008 operating system and later. This attribute does not exist on AD LDS. This attribute specifies the effective password policy applied on this object.
The value of msDS-ResultantPSO is a single value of Object (DS-DN) syntax. This attribute is constructed as follows:
Let RESULTSET be a set of DS-DN, initially empty.
Let U be the object from which the msDS-ResultantPSO attribute is being read.
If the domain functional level is less than DS_BEHAVIOR_WIN2008, then there is no value in this attribute.
If U!objectClass does not contain the value "user", then there is no value in this attribute.
If the bit for ADS_UF_NORMAL_ACCOUNT (see section 2.2.16) is not set in U!userAccountControl, then there is no value in this attribute.
If the RID in U!objectSid is equal to DOMAIN_USER_RID_KRBTGT, then there is no value in this attribute.
Note: Windows Server 2016 operating system and earlier and Windows Server v1803 operating system and earlier do not enforce this check.
If the U!msDS-SecondaryKrbTgtNumber attribute has a value, then there is no value in this attribute.
Let RESULTSET be the values of U!msDS-PSOApplied that are of object class msDS-PasswordSettings and are under the Password Settings container (see section 6.1.1.4.11.1)
If RESULTSET is empty:
Let S be the set of objects returned by invoking the algorithm in [MS-DRSR] section 4.1.8.3 (IDL_DRSGetMemberships) using DRS_MSG_REVMEMB_REQ_V1.OperationType=RevMembGetAccountGroups, DRS_MSG_REVMEMB_REQ_V1.ppDsNames=U, and DRS_MSG_REVMEMB_REQ_V1.pLimitingDomain = the domain for which the server is a DC.
For each O (an object) in S do the following:
RESULTSET = RESULTSET union O!msDS-PSOApplied
Sort objects in set RESULTSET according to msDS-PasswordSettingsPrecedence values, breaking ties with objectGUID values, with smaller values coming first.
Return the first element in the sorted RESULTSET (if empty, the msDS-ResultantPSO attribute is not present).