Which password policy gets triggered if we have a subset of user in a user Directory part of two password policy.
All the password policies that applies are triggered.
So , in your use case both policies are triggered.
The order in which password policies are processed depends upon the password policy priorities.
You can also set an option to skip processing lower priority password policies.
Ujwol's Single Sign-On Blog
I believe the strongest of the two password policy applies, if the same user subset is present in more than one password policy.
Thanks Hubert. I would like to understand "strongest of the two password policy applies" ...
Lets suppose, I have a two password policies(ODBC) with the below setting
1. Max invalid login 3 times & Re-enable after 30 mins
2. Max invalid login 3 times & Re-enable after 20 mins
In this scenario which one will be triggered?
Ideally from a security standpoint, we would like to have the strongest applied based off the Journey. In the example that was showcased, It'd be  - if the journey being performed is, User entering wrong password three times.
From a product standpoint, we'd like the product to function as per the strongest being enforced. I'd test this as the configuration is not complex. Also the smtracedefault.log spews out the password policy actions which would help us validate our thought.
Having said the above, Here another purview (Just me 1 cent)....
From an Organizational Security perspective what is the password policy we would like to be enforced. Having two password policy for the same subset of users seems like a detrimental design / implementation. It really doesn't make sense, for e.g. Single Identity Store, Single User, Two or more Password Policy applied - why? It would be an absolute nightmare to manage password resets and user experience behaviour; if this were to continue.
I'd ideally look at designing a password policy for which is nuclear to a set of users. A good design of password policy should never be in this situation where the same subset of users are actionable across different password policies.
What is the order if both the password policies have same priority? Could you please let us know how can I skip processing lower priority policies other than disabling them ? I am using 12.52 SP2 WAMUI.
For better thread management, I have opened a new thread for your question : Password Policy order of execution
Retrieving data ...