Table 1: Windows Server 2003 Password-Quality-related GPO settings
Setting Comments	Password Policy (in Computer Configuration\Windows Settings\Security Settings\Account Policies GPO Container)
Enforce password history	Value: 0-24Sets the number of passwords Windows will remember and forces users to choose a password different from the one in the history.
Maximum password age	Value: 0-999Specifies number of days a password remains valid. "0" means that the password never expires. This setting can be overridden by setting "Password never expires" in the account properties.
Minimum password age	Value: 0-999Specifies number of days before a user is allowed to change his password. "0" means that the user can always change his password.
Minimum password length Value: 0-14	Specifies the minimum password length. "0" means that the user is allowed to have no password at all. Windows Server 2003 and Windows 2000 Server support a maximum password length of 127 characters. In Windows NT 4.0, the password length was limited to 14 characters.
Password must meet complexity requirements	Value: enabled-disabledEnabling this setting requires that passwords be at least six characters long; contain a mix of uppercase letters, lowercase letters, numbers, and symbols; and don't contain the username or any part of the user's full name.
Store passwords using reversible encryption for all users in the domain	Value: enabled-disabledWhen enabled, this setting doesn't let passwords be stored in a hashed format in the SAM or AD. This setting is used to support the HTTP-based Digest authentication protocol.
Security Options (in Computer Configuration\Windows Settings\Security Settings\Local Policies GPO Container)
Accounts: Limit local account use of blank passwords to console logon only	Value: enabled-disabledEnabling this setting makes it impossible for users with blank passwords to perform a network or a remote desktop logon. Only local logons will be allowed.
Network Security: Do not store LAN Manager hash value on next password change	Value: enabled-disabledWhen this setting is enabled, no LAN Manager password hashes will be stored in the SAM or AD. The LAN Manager password hash is insecure because it stores an identical hash for every password longer than 14 characters.