One thing that I would recommend that I am not seeing is setting a minimum password age to be in the 1-2 week range. If you don't do this, you will get users who keep changing passwords until they cycle through the password history and arrive back to the same one, even with a one day delay. Personally, I find a minimum password length in the 7-8 character range (with complexity requirements) to be more than enough to cover yourself from a brute force attack, as even with current GPU hashing its going to be measured in months to years. The far more likely scenario, the one that we've seen dozens of times in the last year, is users registering website accounts to their work email address and using the same password on both account. Your AD is going to salt and hash your passwords properly, but external websites are a complete unknown and *they keep doing it wrong* and you find dumps of email/password combos all over pastebin. Setting a password expiration policy helps get using users out of using the same password for everything, starting with their work account. This idea of having a "favorite password" is terrifying from an exposure as more often than not everything is registered and authenticated by the same email address. A single endpoint entrusted with that credential set getting compromised opens the floodgates in that situation. And if your still running XP systems, don't forget to disable LanManager hashes in your policy and force a change to purge them out.