If you want to affect local accounts, set the policy on the OU[s] containing the computer objects with a higher precedence than the Domain policy.
It has always been documented that Domain password policy must be in the Default Domain Policy. Recent version covering W2K3- http://technet.microsoft.com/en-us/library/cc773164(WS.10).aspx To accommodate APIs from previous versions of the operating system that make changes directly to default GPOs, changes to the following security policy settings must be made directly in the Default Domain Policy GPO or in the Default Domain Controllers Policy GPO: * Default Domain Security Policy Settings: * Password Policy * Domain Account Lockout Policy * Domain Kerberos Policy From: Christopher Bodnar [mailto:christopher_bod...@glic.com] Sent: Wednesday, December 08, 2010 12:30 PM To: NT System Admin Issues Subject: GPO for Password Policy question W2K3 FFL domain: Can someone let me know if this is correct: OK, so you have your default domain policy, which is linked to the domain. You have account Password policies configured there. This affects both local SAM accounts and AD accounts. If you decided for some business reason that you didn't want these password policies to apply to local SAM accounts (i.e. password complexity requirements), but only AD accounts, could you remove the password policies from the default domain GPO and apply them to the default Domain controllers GPO, which should then only affect AD accounts? Thanks Chris Bodnar, MCSE Systems Engineer Distributed Systems Service Delivery - Intel Services Guardian Life Insurance Company of America Email: christopher_bod...@glic.com Phone: 610-807-6459 Fax: 610-807-6003 ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com<mailto:listmana...@lyris.sunbeltsoftware.com> with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin