@larsen161 said in domain controller in the cloud for small office?:
@mike-davis do you have an hhs.gov or gpo.gov link to where it mentions the requirement for passwords to be changed?
From what I understand ยง164.308(a)(5)(ii)(D) requires you to define the password policy. Since the "best practice" in many circles was to change your password every XX days in case someone observed your password, many places still have it in their policy to change passwords every 90 days.
It was only last year that mainstream media ran that article that explained that a longer pass phrase is better than a short complex password, but getting organizations to change their policies doesn't happen quickly.
Do you have a sample policy (or just that part) that you could share to replace the complexity and change requirement?