Multiple PSOs To One User?
In Windows Server 2008, you have ability to create multiple password policies to a user or security group. For security groups the members of the group will get the password policies but not the Security Group itself. When applying multiple password policies for a single user, AD doesn't give you warning message that only one PSO will be in effect. This article explains how AD handles the conflict in case of multiple PSOs applied to a user.
1. Checks the value of attribute:msDS-PasswordSettingsPrecendence, If value is lowest for this PSO, the password settings will be applied from this PSO.
2. If value of the above attribute is equal then the PSO settings with the smallest GUID is applied to the user.