🟑 Medium   ⏱ 5–30 min  Last verified: 02 April 2027
Affected versions: Windows Server 2012 R2

πŸ“– ~1 min read

Table of contents
  1. Symptom & Impact
  2. Environment & Reproduction
  3. Root Cause Analysis
  4. Quick Triage
  5. Step-by-Step Diagnosis
  6. Solution – Primary Fix
  7. Solution – Alternative Approaches
  8. Verification & Acceptance Criteria
  9. Rollback Plan
  10. Prevention & Hardening
  11. Related Errors & Cross-Refs
  12. References & Further Reading

Symptom & Impact

Fine-grained password policies (PSOs) created on a Windows Server 2012 R2 domain do not take effect, leaving users on default settings and weakening privileged account protection.

Environment & Reproduction

Reproducible by linking a PSO to a group and checking the resultant policy.

Get-ADFineGrainedPasswordPolicy -Filter *
Get-ADUserResultantPasswordPolicy jdoe

Root Cause Analysis

Causes include unlinked PSOs, lower precedence than another PSO, or subject scope on users not in the linked group.

Quick Triage

Inspect PSO links and precedence.

Get-ADFineGrainedPasswordPolicy -Filter * | Select Name,Precedence,AppliesTo
Get-ADGroupMember 'Admins-PSO-Group'
Get-ADUserResultantPasswordPolicy jdoe

Step-by-Step Diagnosis

Verify ADSI attribute msDS-PSOApplied on user.

Get-ADUser jdoe -Properties msDS-PSOApplied | Select -ExpandProperty msDS-PSOApplied
Get-ADFineGrainedPasswordPolicy 'Admins-PSO' -Properties AppliesTo
Illustrative mockup for windows-server-2012-r2 β€” terminal_or_powershell
Get-ADUserResultantPasswordPolicy output β€” Illustrative mockup β€” Progressive Robot

Solution – Primary Fix

Link the PSO to the correct group and lower precedence number to win.

Still having issues? Our IT Consulting team can diagnose and resolve this for you. Get in touch for a free consultation.

Add-ADFineGrainedPasswordPolicySubject -Identity 'Admins-PSO' -Subjects 'Admins-PSO-Group'
Set-ADFineGrainedPasswordPolicy -Identity 'Admins-PSO' -Precedence 10
Illustrative mockup for windows-server-2012-r2 β€” event_or_log_viewer
PSO precedence list β€” Illustrative mockup β€” Progressive Robot

Solution – Alternative Approaches

Apply PSO directly to specific user when group scope is impractical.

Add-ADFineGrainedPasswordPolicySubject -Identity 'Admins-PSO' -Subjects 'CORPjdoe'

Verification & Acceptance Criteria

Get-ADUserResultantPasswordPolicy returns the PSO and password rules apply.

Get-ADUserResultantPasswordPolicy jdoe

Rollback Plan

Unlink PSO if it causes lockouts.

Remove-ADFineGrainedPasswordPolicySubject -Identity 'Admins-PSO' -Subjects 'Admins-PSO-Group'

Prevention & Hardening

Document precedence, prefer groups over direct user links, and review PSO inventory.

Get-ADFineGrainedPasswordPolicy -Filter * | Export-Csv C:Temppsos.csv -NoTypeInformation

Linked with password policy DFL issues and LAPS.

Related tutorial: View the step-by-step tutorial for Windows Server 2012 R2.

View all Windows Server 2012 R2 tutorials on the Tutorials Hub β†’

Browse all common problems & solutions on the Tutorials Hub.

References & Further Reading

Microsoft Learn: Fine-grained password policies.

Need Expert Help?

If you cannot resolve this yourself, our team offers hands-on Server Management, Managed IT Services, and flexible Support Plans. Contact us today β€” we respond within one business day.