I look after a server in our Melbourne office (Windows 2012 Server), it is mainly accessed by RDP clients from around Asia Pacific.
The business is owned by a US company and they want me to implement password policies:
•	10 Characters
•	Complexity (3 of 4) Upper/Lower/Spec/Symbol
•	Not part of the username
•	No dictionary words
•	Changed min of every 90 days/max 1 in 24 hours
•	Locked after 5 for 1 hour
•	Cannot be the same a 5 previous
First I used "Group Policy Management Editor" and changed settings below:
I tested a user account and sure enough it asked to change password and seemed to work. I was a little worries about using GPO and Default Domain Policy to do this as I have application accounts which I do not want GPO to apply too. One of our apps run with escalated privileges and I have created an account for this app and do not want to change password for it.
While I was googling around I realized I can use a thing called "Fine-Grained Password Policy" - Seemed like a greta little solution so I undid the changes to GPO
Fine Grained didn't seem to work, I created a Global Security group and added a couple of users to it and applied the following settings to that group:
By this stage I was getting a bit confused and wanted to start again, so I deleted the Password setting container and made sure no setting existed in GPO:
When I now go in to AD and select a user and make them change their password on next logon it still applies password complexity, not sure where it's getting this from? I have run "gpresult /Z" from the user account and definitely nothing about password settings!!! grrrr!
what is the best way for me to do this on Windows Server 2012? basically want to apply the rules above only to users, basically excluding 1 or 2 accounts which will be used as a service account for applications to use to run in elevated mode.