Windows: the password drama continues
Setting password policies in Windows Server 2003 and earlier versions can feel a little like a running soap opera. If the executives in your company want a year between password changes, for example, but 90 days for everyone else, your only real solution is to create a special domain just for them.
The reason for this limitation is because password policies, unlike all other Group Policies, are traditionally applied only at the domain level. More domains mean more domain controllers (DCs), and that means more management headaches. So our solution to the problem sometimes means changing everyone's policy to something less secure.
[ Read more ]