ds: account policy settings

i've been asked this question more times than i can recall by auditing agencies, security, compliance regulation, etc. at first, i'd goof around the domain policy settings looking for this stuff. someone happened to ask me how to change a local admin password on a server. i suggested net and stumbled on this:

net accounts

Force user logoff how long after time expires?:       7
Minimum password age (days):                          7
Maximum password age (days):                          7
Minimum password length:                              7
Length of password history maintained:                7
Lockout threshold:                                    7
Lockout duration (minutes):                           7
Lockout observation window (minutes):                 7
Computer role:                                        WORKSTATION

if you want to see what it is for your domain, run net accounts /domain.