Here some nasty info, when adding a password policy to a ADS:
- Password policy can only be set at the domain level.
If you like to have different password policies, you have to
- create a subdomain
or
- change to server 2008, where you can use Fin grained password poliy, that gives you the option for using different password policies.
or
- You look out for a a 3rd party tool
What might be the technical reason for this ?
The whole login/authorization of windows (before windows 2008/Vista) is based on NTLM, which basically means you are logging on into a NT style domain.
So all users in that domain have the same (NT style) password restriction.
If all your systems are Windows 2008 or newer, then kerberos is used for authentication/logon, and here apparently password policies are applied as normal users would think.
