Does Default Domain Policy always win? Different password policies in production domain

Solution 1:

Password policy settings apply to the computer's local security database (Security Account Manager). On Domain Controllers that database is the Active Directory database. On member computers that is the local security database of the member computers. Therefore the password policy settings defined in the Default Domain Policy GPO will by default apply to Active Directory user accounts and to local user accounts on member computers.

When you apply a GPO with different password policy settings to computer accounts in the domain as you have with your password GPO linked to your ftp servers OU, you are applying those password policy settings to the local security database of the ftp servers, meaning these password settings will apply to users in the local security database of those servers and will affect the local user accounts on the ftp servers.

You see your GPO as the winning GPO because it is in fact being applied to those servers, but again, it applies to the local security database of those servers and affects only local user accounts on those servers. It does not affect domain user accounts.

When you read "There can only be one password policy in the domain", what you should read is "There can only be one password policy in the domain for domain user accounts". You can apply different password policy settings to member computers, but those settings will only affect the local user accounts on those computers.

Note that this answer doesn't address FGPP. In your scenario, this answer addresses your question and your concern.