Thank you so much for your feedback.
So sorry that I misunderstood this. Frankly speaking, I am not professional with this API.
According to the research, the NetUserSetInfo function does not control how the password parameters are secured when sent over the network to a remote server to change a user password.
Besides, when we gave one of old passwords, it was returning NREE_Success, but it should be NERR_PasswordTooShort as you stated.
As for the Enforce password history policy, it determines the number of unique new passwords that must be associated with a user account before an old password can be reused. If set to 10, the new password set by the user cannot be the same as the old password set 10 times before.
If we gave the too recent old passwords, will it also return Success?
Please forgive me if there is any other misunderstanding. Thanks so much for your understanding and support.
If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.