How can a department enforce a password change every 90 days instead of the domain setting of 180 days?

The correct approach to enforce a password change every 90 days at a departmental level, rather than relying on the domain setting of 180 days, involves modifying the Group Policy Object (GPO) at the Organizational Unit (OU) level.

When you modify the GPO for an OU, you can set specific policies that apply only to the users and computers within that OU. This targeted application allows departments to have different password policies compared to the domain-wide settings. By configuring the password policy in the GPO linked to the OU, you can specify that users within that department must change their passwords every 90 days, effectively overriding the default domain policy.

Establishing a new domain would be an impractical solution, as it involves significant overhead and change management. Changing the global policy settings would affect all users across the domain, which is not ideal for departmental needs. Implementing a local security policy might allow for password change configurations on an individual machine, but it would not provide a scalable solution for managing multiple users under a centralized policy framework. Thus, modifying the GPO at the OU level is the most effective and efficient way to enforce a 90-day password change policy for a specific department.