Q: Can I apply a different password policy to two different Active Directory (AD) organizational units (OUs)?

A:No, AD doesn't support different password policies on different OUs -- but you can use a workaround that calls on shadow groups, which I'll explain. InWindows Server 2008, Microsoft introduced fine-grained password policies that let administrators apply different password policies to AD user andglobal security group objects. However, fine-grained password policies can't be applied to an AD OU.

As a workaround, you can use shadow groups to apply a fine-grained password policy to the users that are contained in an OU. A shadow group is a globalsecurity group that you "logically map" (meaning that the mapping doesn't require AD configuration changes) to an OU to enforce a fine-grained passwordpolicy. To ease administration, you should align shadow group naming with your OU naming scheme.

When using shadow groups, you create a global security group for each OU where you want to apply another password policy and add the users that are inthe OUs as members of the newly created shadow groups. You can then apply different fine-grained password policies to the different shadow groups. Keepin mind that when using shadow groups, if you move a user from one OU to another, you'll also need to update the membership of the corresponding shadowgroups