Passwords must meet complexity requirements of the installed password filter
Computer Configuration\Windows Settings\Security Settings\Account Policies\Password Policy
Determines whether passwords must meet complexity requirements.
By default, this setting is disabled in the Default Domain Group Policy object (GPO) and in the local security policy of workstations and servers.
If this policy is enabled, then passwords must meet the minimum requirements described in the Notes section.
The default password filter (passfilt.dll) included with Windows 2000 requires that a password:
Does not contain all or part of the user's account name
Is at least six characters in length
Contains characters from three of the following four categories:
English upper case characters (A..Z)
English lower case characters (a..z)
Base 10 digits (0..9)
Nonalphanumeric (For example, !,$#,%)
Complexity requirements are enforced upon password change or creation.
To create custom password filters, refer to the Microsoft Platform Software Development Kit and the Microsoft Knowledge Base.