It's a new feature in windows server 2008 that allow you to set password policy and lockout policy separately to individual users or security group.
The down side it takes long time than usual to configure it. But it's depending on your organization requirement to do it or not.
Give it a try by following this steps:
1. Open ADSI edit from Administrative tools folder ( in the DC server ).
2. Right-Click ADSI edit and choose connect to.
3. In the name Box type (your domain name or any preferred name). then OK.
4. Expand your Domain tree and select your domain name DC= Domain, DC= com.
5. Expand DC=Domain, DC=com and select CN=System.
6. Expand CN=System and select CN=Password setting container.
All PSOs are created from here and stored here too.
7. Right click, choose new and then select Object.
There is only one Object will appears in the create object box (msDS-PasswordSetting).
8. Then Next
You will be prompt to enter the values of your settings
These are mandatory attributes, Later you will be able to choose optional at the end.
9. In the edit attributes box, type the FQDN of your desired object (Group or user) to apply PSO.
There is a GUI tool also which can be downloaded from
It's long as it seems but as security setting it's worth it.