vScope shows incorrect values for password attributes in Active Directory

If your domain uses Fine-Grained Password Policies (FGPP) it is possible that the service account used as a credential for the Active Directory doesn’t have sufficient permissions to read Password Settings Object (PSO).

Fine-Grained Password Policies

Although Fine-Grained Password Policies (FGPP) have been around a while, it’s not commonly used. In short, FGPP is a way to specify multiple password policies within a single domain. It’s also possible to use them to apply different restrictions for password and account lockout policies to different sets of users in a domain.

https://secureinfra.blog/2019/10/18/ad-nitty-gritty-of-fine-grained-password-policies/

What does this have to do with vScope showing incorrect values?

By default, only domain administrators can write and read FGPP. If the credential used by vScope doesn’t have read access to the FGPP, it will instead show the default password settings for the Active Directory Object it does have access to.

Does that mean I have to use a Domain Admin for inventorying the Active Directory?

No. It is possible to delegate access to users and groups, which is recommended if your organization uses FGPP.

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc770394(v=ws.10)

Leave a Reply