

drop-down list to stop users from doing this. Select a value from the Passwords can only be reset if they are at least. Users may try to evade the password history policy by resetting their password several times in quick succession to "push" a password off the password history list.

Users whose passwords are set to never expire in Active Directory will not be forced to change their password during logon, even if this check box is selected. This stops users from reusing a recent password, but it won't stop them from resetting a recently changed password. The Active Directory password history policy won't be enforced for the password reset, but it will be enforced for the password change when the user logs on. One solution is to clear the check box above, and select the Require users to change their password after a reset check box instead. Enforcing a minimum age for password resets may increase the number of help desk calls because users won't be able to reset recently changed passwords. Users are more likely to forget a password shortly after changing it. The hotfix is included with SP1 for Windows 2008 R2, and is a standard feature on later Windows versions.

This capability was added as a hotfix for Windows 20 R2 (see Microsoft KB 2386717). Older Windows versions cannot enforce these policies for password resets. Select the Enforce the AD password history and minimum age policies for resets check box to enforce these Active Directory password policies during a reset. Set it to 0 seconds to disable the inactivity timeout. Select the inactivity timeout from the Expire idle sessions after. APR protects user accounts by expiring sessions if users take too long to respond. Their account could be compromised if they leave their computer after answering the first question. Users should remain at their computer while resetting their password or unlocking their account. Use the Security tab to configure the inactivity timeout, password reset policies, and the lockout threshold.
