GPO - password/account settings at the OU level

[Blake]

We are trying to set some password/account settings at the OU level
(password complexity, minimum length, lockout, etc.) Some documentation
says this must be set at the domain level and doesn't function anywhere
else. Can anyone verify/dispute this? Can I set a different password
policy for different OUs? If not, why does MS give me the option to do so?

Thanks
Blake

 

[Steven L Umbach]

For "domain" accounts, password policy can only be set at the domain
level. If you set it at the OU level it will be enforced for local machine
accounts only in that OU. --- Steve MVP

 

[Hindy]

Password policy must be set at the domain level. Think
about it - all your domain accounts are stored on the
DC's, which aren't in the OU's that you are specifiying
polciy on (its a machine level policy), so why would they
be effected?

MS gives you this option because the password policy you
set on OU's will effect the local SAM database on the
machines stored within that OU. It will not effect domain
accounts, only local accounts.