OK, in regards to question: http://www.experts-exchange.com/Operating_Systems/Windows_Server_2003/Q_21887340.html
Now I know you cant BLOCK password policy when they are set at domain level BUT.. the question I now face is what about other things.
Can I set a domain level policy for stopping access to the cdrom for example BUT block it at the server login OU by selecting block policy inheritance.
correct me if i'm wrong, but from the above post, it seems that ANY changes made to a default domain policy at domain level cannot be blocked in any OU below... is this correct? or does this apply to passwords policies only?