It’s common sense: strong passwords (those that contain a larger number of characters made up of a combination
of upper and lower case letters, numbers and symbols) are harder to crack than short, simple or common ones. Surely you can count on the users on your network to understand that and set their passwords accordingly, right? Maybe not. Imperva Inc. (a database security vendor) recently released a report wherein they analyzed 32 million passwords that were revealed in a database security breach. They found that almost half of those passwords were easy to guess, and the most common passwords of all were “123456” and other number sequences starting with 1, of varying lengths. Good grief!
http://www.computerworld.com/s/article/9147138/Users_still_make_hacking_easy_with_weak_passwords
So no, you can’t trust users to create secure passwords on their own. That’s why you need to set password length and complexity policies and use software to enforce them. Luckily that’s easy to do in a Windows domain. A default password policy is enabled by default in a Windows Server 2008 domain, and you can use fine-grained password policies to apply different password restrictions to different groups of users within the domain. That’s something you couldn’t do with previous versions of Windows Server. This step-by-step guide tells you how to use this feature:
http://technet.microsoft.com/en-us/library/cc770842(WS.10).aspx