Historically, password policy [in AD] defines how passwords have to be — for example, eight characters long and [they] expire every 90 days. You’ve only been able to have one [password policy] per AD domain and Microsoft changed it so you can now have multiple ones and define them on a per-user basis. that has been a major request for a while !