> I am trying to set a policy for users. One of our requirements is
> that passwords not be reused for at least 1 year (we change passwords
> every 30 days). The problem seems to be that the -history parameter
> cannot be greater then 9. Is this something I am doing wrong or is
> this indeed a restriction on the number of kept old passwords? Thanks


This is, indeed, a restriction. If you need more, you need to change
the code and recompile, etc.

In any event, unless you also set a minimum password lifetime, you
can't guarantee a no reuse in a year anyway (I could change my password
12 times in 12 minutes).


I realize that these sorts of password rules are often externally dictated,
but it's not clear to me (or many others) that they actually have a positive
effect on security).



John