Here's an update to this feature shout-out. My customer is already running Windows Server 2008 AD and below a description of the solution:
Today we are actually implementing Complex passwords. Our goal for Server 2008 and complex passwords was the ability and flexibility of setting different password policies for different populations of people based on their function at the College. We would break it down so that any personal who had access to sensitive data would be required to have 4 of 4 complexity and password expiration every 30 days or so. Then we would set all other College staff to have 3 of 4 and change their passwords every 90 days and for students we would be less restrictive on them since they only access their own information and resources which College does not feel is sensitive to the organization. I don’t have a problem with you using College as a platform for this piece.
The first shout-out goes to fine grained password and lockout policy.
I was visiting a school last week that had a single forest/domain for everyone (students, faculty, staff). They were about to take some serious heat for implementing very complex password rules for students. Complex passwords are highly recommended but older version of Active Directory made this a all or nothing deal.
Well, Windows Server 2008 has a solution. Password policies are no longer domain relative and you can carve multiple policies for disparate constituencies.
Step-by-Step Guide for Fine-Grained Password and Account Lockout Policy Configuration:http://technet2.microsoft.com/windowsserver2008/en/library/2199dcf7-68fd-4315-87cc-ade35f8978ea1033.mspx?mfr=true