Q. How do I exclude users from my domain-password policy, and can I exclude those same users from domain-policy read-and-apply permissions?

A. No, the domain controllers (DCs) enforce the password-complexity requirements, so blocking certain users from read-and-apply permissions won’t exclude them from the password policy. When you change your password, it’s sent by secure session to the DC. The DC gets the unhashed and unencrypted password, and checks for rules to apply.

This process is different from typical logon-password handling, in which users’ passwords are hashed by means of a one-way algorithm at the workstation and sent to the DC. Users could set their passwords before introducing the password policy; then, you could make the passwords never expire. Doing so would mean that users would use simple passwords, but then they could never change their passwords, which isn’t a good idea.

To configure different password policies for different users, you have three options:

1. Place users that need a different password policy into a separate child domain. This tactic would require a lot of additional infrastructure.
2. If you’re using Windows Server 2008, you can use fine-grained password policies. The domain must be running in Server 2008 mode because only Server 2008 DCs understand fine-grained password policies.
3. Use a third-party add-on that enables multiple password policies within a domain. Third-party options include Special Operations Software’s Specops Password Policy (www.specopssoft.com/products/specopspasswordpolicy/) and nFrontSecurity’s nFront Password Filter (nfrontsecurity.com/products/nfront-password-filter/).