Password history in Active Directory
We are considering enabling "Enforce password history" on our Active Directory, the password is now maintained by another IAM system, but we are looking into changing it to AD/AAD.
Users has been changing passwords for years now in a different system, and the password change has been sent to AD. AD has not enforced password history.
Question 1: Does AD record the used password over time, even if Enforce password history is not enabled. So when enabling "enforce password history", the previous passwords cannot be reused within the policy setting for password history? Meaning they can not reuse a password set years ago.
Question 2: Setting the password through administrative resets (eg. powershell, etc.) and since they are not subject to age or history requirements.. But are they "added to password history" for the user?
My questions is probably dumb and easy, but googling it just end up with endless articles concerning "Enforce password history". And this feature is important to us, so I need to know for certain. Sometimes you just have to ask the stupid questions...
Solution 1:
Q1 - no, enabling history will not see passwords that have been used before enabling it.
Solution 2:
As with all password changes, a password that is used during an administrative password reset is included in the password history of an account, as long as Active Directory is configured to enforce password history.
It is easy enough to test.