You must require strong passwords (complexity on) for local user accounts only, not domain accounts. Where should you configure Group Policy in a Windows 2000 domain with computers and users separated into OUs?

Introduction / Context:
In Windows 2000, the domain password policy applies at the domain level to domain accounts. Local SAM accounts on member servers and workstations follow the effective Account Policies from the computer’s local security policy, which can be set via a GPO linked to the OU containing the computer.

Given Data / Assumptions:

• Goal: enforce complexity only for local accounts, not all domain users.
• Computers and users are organized into separate OUs.
• Windows 2000 domain (mixed or native mode).

Concept / Approach:
Create or edit a GPO linked to the OU containing the target computers. Under Computer Configuration > Windows Settings > Security Settings > Account Policies > Password Policy, enable ‘‘Passwords must meet complexity requirements.’’ This affects the local SAM on those computers and does not change the domain policy for domain accounts.

Step-by-Step Solution:

Verification / Alternative check:
Attempt to set a weak password for a local account; it should be rejected. Domain account policies remain governed by the domain's root GPO.

Why Other Options Are Wrong:

• Domain-root policy would affect all domain accounts, not just local ones.
• User-OU GPO Account Policies do not apply to domain controller password policy nor to local SAMs on member computers.
• Configuring each local machine manually does not centralize enforcement.

Common Pitfalls:
Linking the policy to user OUs has no effect on local SAM account policies; ensure the scope targets computer objects.

Final Answer:
Link a GPO to the OUs that contain the computer accounts and enable ‘‘Passwords must meet complexity requirements’’