It has become a requirement for us to have more than one password policy on the same domain. I have been doing some research and it looks like the way to achieve this is through Fine Grained Password Policies. I can see plenty of articles online which explain it and there is a tool for doing this now, rather than use ADSI Edit as for example https://specopssoft.com/blog/create-fine-grained-password-policy-active-directory/. We already have a GPO based password policy.
My question is how to we move from the GPO password policy to Fine-Grained? Will it cause a mess with the security or potentially lock people out? Can you just create a Fine-Grained policy in addition to the GPO one and attach to an OU or will that be overridden? Do we have to completely remove the GPO and create Fine-Grained policies? I can't see anything online which explains how to move from one to the other and what the implications are.
Fine grained password policies will overrule 'generic' or GPO password policies.
You can also easily assign these new fine grained policies to a group of users to test with.