We know that we can set domain password policies through a group policy tied to the domain NC head. We know that up until 2008, this policy becomes the singular effective password policy for all domain user accounts. This means that even if we create a group policy and tie it to an OU lower down in the structure, say an Admins OU, this will not affect domain user policy – even for thos admin accounts in that OU. So, natively, we can’t set one policy for our users and another, more restrictive policy for our admins. However, what is often unknown or overlooked is that password policy set down at the lower OU may actually have an impact.
If the policy in the lower OU applies only to users, then the password policy settings will be useless (remember, password policy settings are applied in the computer portion of policy) – even if we enable Loopback Processing. But, if the password policy applies to computers (workstations or servers), then the policy does have an impact.
Group policy settings become part of the effective local policy. The password policy settings for local policy affect any local accounts; and every Windows machine has a local accounts database. The password policy settings in the group policy will overwrite any locally configured settings and the accounts in the local SAM will be subjected to these domain-based password policy settings.
I occasionally have customers request that their local accounts have a different password policy than the domain (say, a longer password requirement). To apply that to some contained set of workstations, simply create a policy linked to the OU or a parent OU of these workstations and configure the password policy settings there. It will have no impact on the domain password policy but it will affect local accounts on the workstations.