An organizations’ security policy requires that users change passwords every 30 days. After a security
audit, it was determined that users were recycling previously used passwords. Which of the following
password enforcement policies would have mitigated this issue?

A.
Password history

B.
Password complexity

C.
Password length

D.
Password expiration

Explanation:
Password history determines the number of previous passwords that cannot be used when a user
changes his password. For example, a password history value of 5 would disallow a user from changing his
password to any of his previous 5 passwords. However, without a minimum password age setting, the
user could change his password six times and cycle back to his original password.Incorrect Answers:
B: Password complexity determines what a password should include. For example, you could require a
password to contain uppercase and lowercase letters and numbers. It will not prevent users from
changing their passwords multiple times to cycle back to their original passwords. Therefore, this answer
is incorrect.
C: Password length determines the minimum number of characters your password should contain.It will
not prevent users from changing their passwords multiple times to cycle back to their original passwords.
Therefore, this answer is incorrect.
D: Password expiration determines how long a password can be used for before it must be changed.
Password expiration will force users to change their passwords but it will not prevent users from changing
their passwords multiple times to cycle back to their original passwords. Therefore, this answer is
incorrect.

https://technet.microsoft.com/enus/library/cc757692%28v=ws.10%29.aspx#w2k3tr_sepol_accou_set_kuwh