A: Fine-grained password policies are a great new feature in Windows Server 2008. They allow different security policies related to password and lockout configuration to be applied to users based on the groups a user is in, instead of one policy for the entire domain.

To check which Password Setting Object is being applied to a user, run the following command on a domain controller (DC):

dsquery user -samid <username> | dsget user -effectivepso

Here’s an example of how it would run on a particular DC: C:\Users\administrator.SAVILLTECH>dsquery user -samid john |dsget user –effectivepso.