I need to setup vendor VPN accounts with an extended password expiration policy on our AD domain. I've come to the realization that since they don't use domain member computers, they are restricted by the domain password policy. My idea is to create and OU with a policy that changes the password policy. Create a DC in that OU so that it inherits the policy. Then, create user accounts against that DC. Think it will work?