In Windows Server 2003 SP1 or R2 one of the major limitations was the ability to only have one password policy per domain. Pain right? The product team realized this was a major pain point for many customers, so they added some new password policy functionality to Windows Server 2008 which was made available as of Beta 3.
In Windows Server 2008, we now have the concept of password settings objects or PSOs. Every PSO contains all of the same password-related information you’re familiar with in server 2000/2003 such as lockout duration, minimum password age, etc.
A cool common use scenario: All domain administrators have a more complex password policy while the rest of the users in the domain have a less-restrictive password policy.
So what are some things you can do now with Password policies (PSOs)?
What are some of the downfalls?
So how do I get started? Check out these tools and the GUI PSO tool.
Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration
Changes in Functionality from Windows Server 2003 with SP1 to Windows Server 2008 –Page 83
Download RCO of Windows Server 2008