Add an option to require administrative password reset to honor password history
Windows supports two password APIs, change and reset. The change API honors password history, preventing users from re-using recent previous passwords. The reset API ignores password history and allows an administrator or e.g. help desk, to re-use a recent previous password. Add an option in Active Directory to force the reset API to also honor password history. The default should be that this option is disabled, an administrator CAN use a recent password, so it matches expected / current behavior. For Active Directory, this option should be available in the default domain policy and also in each password settings object for granular password policy.
Guy Teverovsky commented