This process is different from typical logon-password handling, in which users’ passwords are hashed by means of a one-way algorithm at the workstation and sent to the DC. Users could set their passwords before introducing the password policy; then, you could make the passwords never expire. Doing so would mean that users would use simple passwords, but then they could never change their passwords, which isn’t a good idea.
To configure different password policies for different users, you have three options:
- Place users that need a different password policy into a separate child domain. This tactic would require a lot of additional infrastructure.
- If you’re using Windows Server 2008, you can use fine-grained password policies. The domain must be running in Server 2008 mode because only Server 2008 DCs understand fine-grained password policies.
- Use a third-party add-on that enables multiple password policies within a domain. Third-party options include Special Operations Software’s Specops Password Policy (www.specopssoft.com/products/specopspasswordpolicy/) and nFrontSecurity’s nFront Password Filter (nfrontsecurity.com/products/nfront-password-filter/).