I know you can block policies on OU's but can you block it when it's the Default Domain Policy.

Yes.  it's possible.  When you right-click on the OU and go to properties, then click the Group Policy tab, whatever is listed there is what is assigned.  Let's imagine you have the following setup:

Default Domain - Default Domain Policy
       \
         \
           \
           OU-1
               \
                 \
                   \
                   OU-2

By default, if your default domain is assigned the Default Domain Policy, both OUs, 1 & 2, will inherit those policies.  HOWEVER, if you right-click OU2, go to properties, click Group Policy tab, you can check the box at the bottom that says "Block Policy Inheritance".  That will prevent OU2 from receiving the Default Domain Policy and thus, allow you to do what you are asking.

Hope that helps you!

James

Something else that you can do if you only want it NOT to apply to one user or group of users (I think that's how I understand your question) is that you can filter that account from applying the default domain policy.

Here's how:

Open Domain Users and Computers
Right click on the Domain
Select Properties
Click on the Group Poicy tab
Select the Default Domain policy
Click the Properties button
Click on the Security tab
Click Add
Add the user you want to exclude from the policy
       (#ismailaccount for example)
Click Okay
Highlight the username you just added
Click the checkbox to Deny this user the Apply Group Policy
        permission
"Okay" your way out

This user will no longer have any part of the Default Domain policy applied.

Just reread your question.  The short answer is that yes, the default domain policy can be blocked as long as it does not have the No Override option checked.

For domain accounts, there can be only one account policy (http://www.microsoft.com/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/Default.asp?url=/resources/documentation/WindowsServ/2003/enterprise/proddocs/en-us/AccountPoliciestopnode.asp).
You cannot block it.
If you need different account policies, you have to create a second domain.

lg
bernhard

Addendum:

if you only need a locally login maybe this helps:

http://www.jsiinc.com/SUBE/tip2200/rh2214.htm

best regards,
bernhard

Well here's something that wasn't addressed by that little MS article.
Yes, there can only be one account policy on a domain, but can that
policy be blocked or filtered?  That's the real question, isn't it?

If it can be blocked and/or filtered then my and/or jamesreddy's solutions
would work.  Right?

Maybe I am not understanding the original question, but it seems to me the easiest way to do this is to set the account in dsa.msc to have a password not to expire for that account.  I am certain that takes precedence over any domain account policy.

@CountRugen
The default domain-policy does not directly affect the (domain-)user, but the DC. so you can only change the account policy for the whole DC (=for all domain-users). -> only one password-policy for the domain.
(this behavior is a popular trap in MCSE-exams ...)
your solution only works, when the user locally logs in

i am 99% sure, but i try it tomorrow in a test environment. (enough for today - my local time 1:49 AM, sorry ...)

best regards
berni

domain-name.com - No policy assigned
  |\
  |  \
  |    \
  |      \
  |      OU1 - OU1 Policy applied
  |
  |
  |
   \
     \
       \
        OU2 - OU2 Policy applied


OU1 and OU2 can have seperate password policies applied to them.  If you put the account you do NOT want to password to expire into a seperate OU and tell that OU policy to never let the account expire, it will work.  I can verify this as it has been my network setup for several years now.  For certain users, that I know have a good quality password and I know will safeguard it, I have been able to place them into my secondary OU and it will effectively stop them from having to change the password.

I'm not sure what the article above is referencing, but it does not seem to be speaking of the same thing you are.  If all you want to do is be able to stop password changes for an account or group of accounts, make sure your Default Domain Policy is set to NOT CONFIGURED for password expiration rules, create 2 OUs, one for regular users, and one for users whose passwords will not expire, then assign the appropriate policy.  It's not difficult.  My password expiration policies differ between different groups of students within my school, so I know this is possible.

Unless I'm not interpreting your question correctly, that is how I do it.  It will work for you too.

James

Yes Bern...that last statement is correct.  There is no way to prevent the Default Domain Controllers Policy from affecting the DCs.  He is asking about a specific user account's password expiration though.  It is possible to allow the user accounts passwords to expire at different times or not at all.  It is being applied to the USER, not the DC, in this instance.

I noticed that berni's article referenced Windows Server 2003 so I went and rooted around for some similar coaching on Windows 2000 and this is what I found...

"Only one set of password, account lockout, and Kerberos version 5 authentication protocol policies can be configured for the domain. Other password and account lockout settings will only affect the local accounts on member servers."

http://www.microsoft.com/technet/Security/prodtech/win2000/secwin2k/05secdom.mspx#XSLTsection124121120120

This whole thing is very confusing...

Berni1234 is correct.  Account Policies are ruled by the Domain and cannot be overridden or blocked.  Multiple domains are necessary to have multiple account policies.

Wait a second...are we talking about domain user accounts or system accounts?  Because I guarantee that I have multiple account policies in my single domain structure utilizing different OUs.  

Hey James,

Are you absolutely sure they're working correctly?  Account Policies such as lockout, expiration, password length, complexity and times are controlled strictly by the Domain Policy - you cannot change that.

OU's can have policies of their own, but the only single time they will rule is if the user logs into their member workstation with a local account.

Well, let me put it this way.  I have a single domain.  In that domain I have an OU called students.  Under students, I have several more, but let's use Medical and CNA as two examples.  My CNA group has a password expiration time of 0, indicating they will never expire, and thus, they never have.  My medical students have an expiration of 30 days, and they STILL complain to me to this day about having to change that password every thirty days.  It has been working for me for a while.  Is it a change with 2003?

crap...reolved = resolved.  I need typing lessons!

@jamesreddy
Could not confirm your solution. I have tried it in a test environment, but it doesn´t work. maybe it works, if you never have changed the the (default domain) password policy ...

@g000se
Maybe is this a solution for you:

If you don´t need a domain account, you could create a local user on the corresponding machine (where you could change the account policies). works not on DC ...

I appreciate all the input and I am still a little confused as I try to understand it all.  I have created system accounts such as #ismailaccount to run services on the Windows 2000 servers.  I have the default domain policy in place to change the password in 90 days.  These system accounts that I created are in an OU that has been created as well.   As I read the comments it seems that the default domain policy will not be blocked on the OU even if I have set for that.  I haven't had the chance to test it out.   It sounds like I am better off placing a check mark in the box for each system account I created for the password to never expire so I can manually change those passwords.  By doing this it will protect the accounts from being prompted to change the passwords right???