Situation is this:
I need to have a particular container in my AD environment which blocks password expiry policy, but accepts all other policies. Is this something that would work by simply adding in a GPO at the sub-ou level (the ou in question is a child of ou's where GPO's including password stuff is set).
These accounts (and this ou) already exist and will have the default domain policy as well as other policies applied and they should continue to receive policy settings as per those GPO's, with the exception of the Password Expiry.
We have tried the password do not expire tickbox and that seems not to have worked.
Thanks in advance.
Kip
You don't mention whether you're working with a Windows 2003 Active Directory or a Windows 2008 Active Directory.
In a Windows 2003 Active Directory all domain user accounts are subject to the resultant account policy from GPOs applied at the root of the domain. You can't have some accounts with different password policies (expiry, length, lockout settings, etc). (Local user accounts on non-domain controller computers can have different password policies, but domain users all fall under the same domain password policy).
In Windows 2008 Active Directory, when set to a Windows 2008 functional level, you can have "granular" password policies. Microsoft didn't implement this with Group Policy, though. Rather, a new type of Active Directory object is used. Here's an article re: granular password policy to get you started, if you can use them: http://technet.microsoft.com/en-us/library/cc770394(WS.10).aspx
If you're stuck at Windows 2003 Active Directory the only method to have different password policies for a subset of users is to create another domain and put the accounts in that domain.
What version of Windows server are you running? If you don't have 2008 or your domain is not at the 2008 functional level it simply isn't possible.
Here is an article about Fine-Grained Password Policies.