Your network contains an Active Directory forest named contoso.com. The forest functional level is
Windows Server 2012 R2. The forest contains a single domain.
You create a Password Settings object (PSO) named PSO1.
You need to delegate the rights to apply PSO1 to the Active Directory objects in an organizational
unit named OU1.
What should you do?

A.
From Active Directory Users and Computers, run the Delegation of Control Wizard.

B.
From Active Directory Administrative Center, modify the security settings of PSO1.

C.
From Group Policy Management, create a Group Policy object (GPO) and link the GPO to OU1.

D.
From Active Directory Administrative Center, modify the security settings of OU1.

Explanation:
PSOs cannot be applied to organizational units (OUs) directly. If your users are organized into OUs,
consider creating global security groups that contain the users from these OUs and then applying the
newly defined finegrained password and account lockout policies to them. If you move a user from
one OU to another, you must update user memberships in the corresponding global security groups.
Go ahead and hit “OK” and then close out of all open windows. Now that you have created a
password policy, we need to apply it to a user/group. In order to do so, you must have “write”
permissions on the PSO object. We’re doing this in a lab, so I’m Domain Admin. Write permissions
are not a problem
1. Open Active Directory Users and Computers (Start, point to Administrative Tools, and then click
Active Directory Users and Computers).
2. On the View menu, ensure that Advanced Features is checked.
3. In the console tree, expand Active Directory Users and Computers\yourdomain\System\Password
Settings Container
4. In the details pane, right-click the PSO, and then click Properties.
5. Click the Attribute Editor tab.
6. Select the msDS-PsoAppliesTo attribute, and then click Edit.