Back when Server 2003 was the new hot thing, password policy could only be set at the domain level. Since then, Password Security Objects were introduced in Active Directory, beginning with Server 2008. PSO are like GPO’s and can be scoped to a specific OU, user, or group. In order to use PSO, ensure domain policy as defined in a GPO has been cleared out first.
To learn more about PSO, read the following: Fine Grained Password Policy
I was troubleshooting an issue where a user was unable to update their password, despite meeting password complexity requirements. Evidently, the minimum password age was set to 30, so they were prevented from creating a new password, in that 30 day window, until I changed the min. password age to 0.
Another few commands I found useful during this project were:
Determine computer / server DC using nltest
List all DC’s
Determine server used for user authentication: