I use the "DOMAIN SECURITY POLICY" snap in to define the password policy and a few other little things.
I use the default domain policy (the one that is applied to the root domain) to set my basic security configurations. This is like a template for all of my OUs
I then use just GPOs for other OUs that need additional rights. I block inheritance on these OUs so they do not inherit anything from the default domain policy. However, the password policy defined in the Domain Security Level cannot be blocked.
does everything sound like I'm doing this correct?