The default password policy will result in users password expiring every 42 days by default. No other options are set by default. Other options to be considered are minimum password lengths, the number of old passwords the system remembers, the maximum password age and account lockout details. To access this you need to run the Domain Security Policy console which is in the Administrative tools program group.
1. Expand the Account Policies node
2. Expand the Password Policy node – here you will be able to set the following
Enforce password history = this is the number of passwords the system will remember so that users can alternate between 2 or 3 passwords.
Maximum password age = this is effectively the time between mandatory password changes for the user accounts
Minimum password age = this setting will prevent the user from changing their password too quickly – when used in combination with the Enforce password history option above, it will prevent a user from alternating between a series of set passwords.
Minimum password length = this is the number of characters that a password must be at a minimum.
Passwords must meet complexity requirements = use this option if you want to enforce the users to have strong passwords, i.e. with letters and numbers etc.
Store password using reversible encryption for all users in the domain = this option is normally set to disabled, but some applications may require you to use it in the enabled state
3. Once you have set the Password Policy, you may also want to consider setting the Account Lockout Policy which is the node in the tree directly below the Password Policy. Here you can set the number of invalid password attempts within a certain time period will lock the users account either until an administrator unlocks the account or a preset timeout period where it is unlocked by the system.