See below our default requirements for creating end user and admin passwords:
Password complexity: 1 or more upper case letters, 1 or more lower case letters, 1 or more numbers or special characters and 8 or more characters in length. The password cannot contain user's first name, last name nor username.
Allowed characters: A-Z, a-z, 0-9, @, #, $, %, ^, &, =, +, >, <, |
The system forces users to change their passwords every 42 days. They need to change it to one that meets the above conditions and that wasn't used before (the system remembers 24 historic passwords).
The default policy for lockouts is set to 0, meaning that users don't get locked out when putting an incorrect password.
The default policy can be changed for the clients from Primary Domain Controller (PDC) server. Best practice is to create new policy matching your requirements instead of changing the default one. The new one will then be applied over the default policy and if anything's not working with the new policy for you, you can just revert back to the default one.
How can users change their passwords?
Once logged in to their cloud desktop, this can be accomplished by holding Ctrl+Alt+End at the same time.
On MAC laptop the shortcut would be Control + Fn + Delete (Ctrl + Option + Fn +Delete).
Default policy in place on the domain requires a password to be at least 1 day old before being allowed to change it. Check the image below:
If you modify that policy and change the 1 day to 0, users should be able to change passwords whenever they want.
Password expiration policy
Users get a small notification in their remote desktop session bottom eight corner before their password expires.
The default password expiration policy including the notification period can be found in the default group policy. The settings can be changed to your preference in Active Directory or you can mark the passwords to never expire from CAS accessing User settings.
The default policy sets the minimum password age to 1 day. That means that the end user will not be able to reset their password more than once a day unless the default policy is changed to 0.
The default maximum password age is 42 days.