1. Not contain the user’s account name or parts of the user’s full name that exceed two consecutive characters
2. Be at least six characters in length
3. Complexity requirements are enforced when passwords are changed or created.
4. Contain characters from three of the following four categories:

English uppercase characters (A through Z)
English lowercase characters (a through z)
Base 10 digits (0 through 9)
Non-alphabetic characters (for example, !, $, #, %)

Default:

Enabled on domain controllers.
Disabled on stand-alone servers.

Note: By default, member computers follow the configuration of their domain controllers.