I found this article: AD DS Fine-Grained Password and Account Lockout Policy Step-by-Step Guide really useful to set fine-grained password policies for a user or a Security Group.
But I haven't found any way to do this at an OU level - at least not any way that I can get it to work.
Any good articles that show how to do this?
You cannot apply FGPP to an OU directly.
http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
Fine-grained password policy cannot be applied to an organizational unit (OU) directly. To apply fine-grained password policy to users of an OU, you can use a shadow group.
A shadow group is a global security group that is logically mapped to an OU to enforce a fine-grained password policy. You add users of the OU as members of the newly created shadow group and then apply the fine-grained password policy to this shadow group. You can create additional shadow groups for other OUs as needed. If you move a user from one OU to another, you must update the membership of the corresponding shadow groups.