Just a quick point on Password Policy in Windows 2003 domains:
In Windows 2003 there's only one Default Domain Policy and it's applied at the Domain level. This has the Password Policy data in it and Password Policy can only be set in this one place and effects all users of the domain. You actually have to go in and edit the Default Domain Policy itself (which effects all users) rather than trying to apply a separate policy at a lower (eg: OU) level because the lower one will never take effect for Password Policy stuff. Incidentally many administrators feel your pain so Microsoft took it upon themselves to allow different Password Policies at an OU level in Windows 2008 native domains/forests.