That can not be done via Group/security policy via normal methods. There can
be only one domain password/account policy for domain users and it is
"computer" configuration - not user configuration which would mean your
method would not work even if it was possible to have multiple
password/account policies per domain. There are a couple workarounds. Some
use scripts or custom password filters, neither which I have ever tried..
Custom password filter is something that takes a good programmer to write.
Others have suggested scripts to force users to change their passwords at
next logon on a schedule different than domain policy. I prefer smart cards
as they increase security dramatically and policy can be configured to
require a user account to use a smart card and force logoff when the smart
card is removed. The downside is that they can only use them on computers
that have smart card readers. Smart card readers are relatively inexpensive
these days and the issuance of certificates is not all that difficult. See
the first link below for possible scripts that you can use from the Windows
Script center many which require easy modification to work in your
environment. The Active Directory command line tools such as dsquery and
dsmod could also be used if you have an XP Pro domain member that could be a
secure admin workstation and that you could install adminpak for Windows
2003 on. --- Steve
http://www.microsoft.com/technet/scriptcenter/scripts/ad/users/pwds/default.mspx
http://www.microsoft.com/technet/pr...elp/46ba1426-43fd-4985-b429-cd53d3046f01.mspx
http://www.microsoft.com/downloads/...15-c8f4-47ef-a1e4-a8dcbacff8e3&DisplayLang=en