The msDS-ResultantPSO attribute exists on AD DS beginning with Windows Server 2008 operating system. This attribute does not exist on AD LDS. This attribute specifies the effective password policy applied on this object.
The value of msDS-ResultantPSO is a single value of Object (DS-DN) syntax. This attribute is constructed as follows:
Let RESULTSET be a set of DS-DN, initially empty.
Let U be the object from which the msDS-ResultantPSO attribute is being read.
If the domain functional level is less than DS_BEHAVIOR_WIN2008, then there is no value in this attribute.
If U!objectClass does not contain the value "user", then there is no value in this attribute.
If the U!msDS-SecondaryKrbTgtNumber attribute has a value, then there is no value in this attribute.
If RESULTSET is empty:
Let S be the set of objects returned by invoking the algorithm in [MS-DRSR] section 22.214.171.124 (IDL_DRSGetMemberships) using DRS_MSG_REVMEMB_REQ_V1.OperationType=RevMembGetAccountGroups, DRS_MSG_REVMEMB_REQ_V1.ppDsNames=U, and DRS_MSG_REVMEMB_REQ_V1.pLimitingDomain = the domain for which the server is a DC.
For each O (an object) in S do the following:
RESULTSET = RESULTSET union O!msDS-PSOApplied
Return the first element in the sorted RESULTSET (if empty, the msDS-ResultantPSO attribute is not present).