How do you Define the Scope of Fine-Grained Password Policies?

A PSO Password Settings objects (PSOs) can be linked to a user (or inetOrgPerson) or group object that is in the same domain as the PSO.
· A PSO has an attribute named PSOAppliesTo that contains a forward link to only user or group objects. The PSOAppliesTo attribute is multivalued, which means that you can apply a PSO to multiple users or groups. You can create one password policy and apply it to different sets of users or groups.
· A new attribute named PSOApplied has been added to the user and group objects in Windows Server 2008. The PSOApplied attribute contains a back-link to the PSO. Because the PSOApplied attribute has a back-link, a user or group can have multiple PSOs applied to it. In this case, the settings that are applied are calculated by Resultant Set of Policy (RSOP). You can link a PSO to other types of groups in addition to global security groups. However, when the resultant set of policy is determined for a user or group, only PSOs that are linked to global security groups or user objects are considered. PSOs that are linked to distribution groups or other types of security groups are ignored.

If multiple PSOs are linked to a user or group, the resultant PSO that is applied is determined as follows:
· A PSO that is linked directly to the user object is the resultant PSO. If more than one PSO is linked directly to the user object, a warning message is logged in the event log and the PSO with the lowest precedence value is the resultant PSO.
· If no PSO is linked to the user object, the global security group memberships of the user, and all PSOs that are applicable to the user based on those global group memberships, are compared. The PSO with the lowest precedence value is the resultant PSO.
· If no PSO is obtained from conditions (1) and (2), the Default Domain Policy is applied.