Appendix B: PSO Attribute Constraints

Applies To: Windows Server 2008, Windows Server 2008 R2

Negative PSO attribute values

When you use ADSI Edit to create Password Settings objects (PSOs), enter the values of the four time-related PSO attributes (msDS-MaximumPasswordAge, msDS-MinimumPasswordAge, msDS-LockoutObservationWindow, and msDS-LockoutDuration) in d:hh:mm:ss format.

When you use the ldifde command to create PSOs, you must enter the values of these attributes in I8 format, which stores time in the intervals of -100 nanoseconds. (Schema: attributeSyntax = 2.5.5.16 (I8).) Windows Server 2003 Default Domain Policy employs this exact time unit for its corresponding time-related attributes. To set these attributes to appropriate values, convert time values in minutes, hours, or days to time values in the intervals of 100 nanoseconds, and then precede the resultant values with a negative sign.

You can use the following conversion guide and multiplication factors to obtain the corresponding I8 values. To set the time to never, set the value to -9223372036854775808.

Time unit

Multiplication factor

m minutes

-60*(10^7) = - 600000000

h hours

-60*60* (10^7) = -36000000000

d days

-24*60*60*(10^7) = -864000000000

For example, if you want to set the msDS-MaximumPasswordAge to 10 days, multiply 10 by -864000000000 and apply the resulting I8 value to the msDS-MaximumPasswordAge attribute (in this example, -8640000000000). If you want to set msDS-LockoutDuration to 30 minutes, multiply 30 by -600000000 to get the corresponding I8 value (in this example, -18000000000).

PSO attributes referential integrity

Consider the following information when you create new PSOs:

  • The value of msDS-MinimumPasswordAge must be smaller than or equal to the value of msDS-MaximumPasswordAge.

  • The value of msDS-LockoutObservationWindow cannot be larger than the value of msDS-LockoutDuration. The msDS-LockoutObservationWindow determines how long the bad password counter is active. The msDS-LockoutDuration determines how long an account stays locked out for when the bad password count threshold is reached. It is not possible to keep the bad password counter active longer than the time that the account is locked out.

  • The value of msDS-MaximumPasswordAge cannot be set to zero.