Security – security benefit to a regular changing password policy

I assume the GPO you were changing was the Default Domain GPO; that is the only one that affects domain userid's. GPO's on OU's only affects local accounts on domain-member computers that are in that OU.

Although domains in Win2008 mode can do OU-based policy however I have not researched how nor the details.

I think I might be in the minority on this (based on my limited experience dealing with IT departments at school and work), but I think mandatory, time-based password change policies are worthless at best, and harmful at worst. People tend to be very bad at choosing good passwords and keeping them secret. Password expiration policies are designed to mitigate this by limiting the amount of time any one password can be cracked/social engineered/stolen; however, they fail to achieve this in practice, primarily because they force users to relearn their password on a continuous basis. By making it harder for user to commit their passwords to memory, you end up causing many of them to choose weaker passwords, and/or write their passwords down someplace where prying eyes can find them.

Furthermore, when forced to change their password on a regular basis, many users will choose passwords that follow a very recognizable pattern, such as [base string][digit]. Let's say a user wants to use their cat's name Fluffy as their password. They might start out with a password of fluffy, then change it to fluffy1, fluffy2, fluffy3 and so on. In this case, the policy doesn't really help security; even if the user chooses a more secure base string than fluffy, and even if they keep their password safely memorized, the single suffix character that changes every few months does very little to mitigate cracking or social engineering attacks.

See also: Password Expiration Considered Harmful, a short article (not written by me) which I think gives a good introduction to these problems.