Many IT Admins and consultants who profess themselves to be AD-competent will tell you that multiple password requirements is a reason to have multiple domains within your Active Directory (AD) forest. You simply can't have multiple password polices in the same domain. And attempting to link GPOs that specify differing password polices to different containers (e.g. different OUs for users) doesn't work.

However I've found a lot don't seem to know why this is the case. Maybe it's a question they've never turned their minds to, or maybe they don't know as much about AD as they think they do. I'm sure it's the former, though some of my less charitable colleagues argue that it's the latter (big grin).

Password polices, like any other policy setting, apply to a client (be that a computer/machine, a user, or both). So who or what is the client in this case? Despite what many think, it's not the user. And that's the reason you can't have different policies for different users. The clients in this case are the Domain Controllers in your domain.

When you, as a user, change your password, it is submitted via a secure channel to the user's Logon Domain Controller. This DC is responsible for verifying whether the password meets the Domain's password requirements. By password requirements we are talking about length, minimum and maximum age, complexity requirements enforced by passfilt.dll and so forth. Because there can only be one effective policy applied to the DCs in your Domain, there can only be one effective password policy for the domain. If you need multiple password policies, you need multiple domains. (Let's leave aside options such as writing your own passfilt.dll that is aware of the differing requirements that you have for the time being!)