Password complexity is enabled.
Password Age: 60-days
History: Last 4 passwords cannot be used.
Length: At least 8 characters.
An audit requirement is to force the users to change at least 3 characters of their previous password.
In other words, the user cannot use: Password1, Password2, Password3, etc. They would need to change at least 3 of the characters - example: "P@33w0rd2"