As far as I know, if the SQL Server is on a domain, the domain's password policy is the one that's enforced. If the server's not on a domain, then the local password policy is enforced.
Microsoft Certified Master: SQL Server, MVP, M.Sc (Comp Sci)SQL In The Wild
: Discussions on DB performance with occasional diversions into recoverability
We walk in the dark places no others will enter
We stand on the bridge and no one may pass