Microsoft: password policy limitations

I sometimes get asked what the limitations are for the default password policy in a Windows AD domain. Here goes:

• You can only enforce one password policy per domain
• Password Never Expires: If selected, the password for this account never expires. This setting overrides the domain account policy. Generally, it's not a good idea to set a password so it doesn't expire because this defeats the purpose of having passwords in the first place. But it is useful in combination with service accounts
• Should be applied on the ROOT domain container