Your network contains an Active Directory forest named contoso.com. The forest functional level is Windows
Server 2012 R2. The forest contains a single domain.
You create a Password Settings object (PSO) named PSO1.
You need to delegate the rights to apply PSO1 to the Active Directory objects in an organizational unit named
OU1.
What should you do?

A.
From Active Directory Users and Computers, run the Delegation of Control Wizard.

B.
From Active Directory Administrative Center, modify the security settings of PSO1.

C.
From Group Policy Management, create a Group Policy object (GPO) and link the GPO to OU1.

D.
From Active Directory Administrative Center, modify the security settings of OU1.

Explanation:

PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs, consider
creating global security groups that contain the users from these OUs and then applying the newly defined
finegrained password and account lockout policies to them. If you move a user from one OU to another, you
must update user memberships in the corresponding global security groups.
Go ahead and hit “OK” and then close out of all open windows. Now that you have created a password policy,
we need to apply it to a user/group. In order to do so, you must have “write” permissions on the PSO object.
We’re doing this in a lab, so I’m Domain Admin. Write permissions are not a problem
1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click Active
Directory Users and Computers).
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password Settings
Container
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.