We have already spent some time in this book updating password criteria for our domain. To accomplish this, we edited the built-in Default Domain Policy GPO, as it exists in any instance of an Active Directory domain and contains password settings by default. I bring up this topic once again to point out the fact that this prebuilt policy, Default Domain Policy, really is the best place to maintain password settings for most companies.
This mindset differs from that of any other settings. My general advice for the Default Domain Policy is "don't touch it!" You should not be throwing settings into that policy for the fun of it. In general, whenever you want to push out new settings with Group Policy it should really be from inside a brand new GPO. The exception to this rule is password-related settings. When increasing the security of your passwords, it certainly is possible to incorporate password settings into a new GPO but that GPO then automatically starts stepping on the toes of Default Domain Policy.
While this is not necessarily bad, remember that GPOs have to prioritize themselves over each other all the time, so it could easily lead to confusion down the road. If you have password settings inside the Default Domain Policy, and more password settings hiding inside a new GPO as well, what happens when you go on vacation and another administrator at your company suddenly needs to figure out how to change password complexity requirements? I hope your took your laptop along on that Bahamas trip. Maintaining password rules and regulations in multiple locations will turn hairy, so it's best to leave them all in one place. Unless you have a very good reason to divert, that one place should really be the Default Domain Policy GPO.