AD Attributes

Active Directory Attributes » Active Directory password attribute: ms-DS-Password-Settings-Precedence

Active Directory password attribute: ms-DS-Password-Settings-Precedence

This attribute contains a number which denotes the precedence of a password settings object (PSO). With fine-grained password policies (FGPPs), you can create multiple PSOs and apply them to groups. If more than one PSO is applied to a group, the PSO with the lower precedence number will be applied. For each PSO you create, it is recommended to assign a unique precedence value.

CN ms-DS-Password-Settings-Precedence
Ldap-Display-Name msDS-PasswordSettingsPrecedence
Attribute-Id 1.2.840.113556.1.4.2023
System-Id-Guid 456374ac-1f0a-4617-93cf-bc55a7c9d341

For more details about this attribute, refer to this Microsoft document.

Did you know that the default Active Directory password policy hasn’t changed much since it was introduced in the early 2000s? While FGPP makes it easier to enable different password policy settings based on groups and users, it still cannot be applied directly to an OU. Moreover, the password policy settings can easily be exploited by users to set common weak passwords.

ADSelfService Plus, an integrated Active Directory self-service password management and single sign-on solution, helps implement strong password complexity rules and multi-factor authentication (MFA) for endpoints, thus ensuring improved security against common credential-based attacks. Some of the highlights of ADSelfService Plus include:

  1. Custom password policy enforcer: Prevent users from setting weak and breached passwords for their accounts through an advanced password policy that bans dictionary words, keyboard sequence and supports Have I Been Pwned? Integration.
  2. OU and group-based password policies: Create multiple password policies based on users’ privileges and assign them based on OUs and groups.
  3. Endpoint MFA: Add an extra layer of security to user accounts by enabling YubiKey, biometric, Google Authenticator, and other strong authentication methods for local and remote desktop logons to Windows, Linux, and Mac endpoints.
  4. Self-service password management: Allow users to reset passwords and unlock accounts on their own; reduces help desk tickets and improves employee productivity.

Simplify password management with ADSelfService Plus.

  • Please enter a business email id
    By clicking 'Get Your Free Trial', you agree to processing of personal data according to the Privacy Policy.


Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here

Self-service password management and single sign-on solution

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.