Setting Different Password Policies for Different Groups

Q: Help! I'm trying to set up a password policy with Group Policy. I'd like to use a new Group Policy Object (GPO) linked to the domain level. Do I have to use Authenticated Users?. If so, can I deny access to users or groups so they can't read the policy? We have a manufacturing enviroment with a lot of computers on the plant floor that use autologon to log on to the domain. I'd like to exclude those machines if possible. Is there any way to apply a password policy to only the office computers?

A: Security expert Orin Thomas says, "The default domain password policy applies to all regardless of scope. You could achieve what you want by creating a child domain and moving the plant floor computers to the child domain. Separate domains are the only way to set multiple password policies."