As you may have heard, Microsoft is finally providing the ability to have fine-grained password policies within a single AD domain. That means you can now have different password policies for different user groups within AD. This feature is described nicely in Jorge de Almeida’s excellent blog entry.
Despite the desperate need for doing this, the one thing that I don’t like about the new fine-grained password policy is that its a completely separate mechanism for managing password policy from the existing GPO-based method, which, by the way, is still in Server 2008. In the absence of Fine-grained password policies set in AD, the default is still whatever you’ve defined on your domain-linked GPO. This can get confusing since you will need two mechanisms for determining effective password policy across all users. I think Jorge’s advice in his blog is good–once you implement Fine-grained password policies, implement it for all users so that you essentially don’t need to care what Group Policy is doing with account policy anymore. That will simplify management of this stuff tremendously!