3.1.1.9.1 Password History Update
The following constraints MUST be satisfied for ntPwdHistory and lmPwdHistory. The term "history attribute" refers to one or the other in the following constraints, and the term "associated password" refers to dBCSPwd when the history attribute is lmPwdHistory, and unicodePwd when the history attribute is ntPwdHistory.
Let Password-History-Length be the value of the Effective-PasswordHistoryLength attribute (see section 3.1.1.5). If the target object being updated is the krbtgt account (that is, the objectSid value has the RID value of DOMAIN_USER_RID_KRBTGT), and Password-History-Length is less than 3, the value of 3 MUST be used for Password-History-Length.
If the Password-History-Length is greater than 0 and the history attribute is zero length, the history attribute MUST be updated with the previous associated password if the old associated password's length is nonzero.
If the Password-History-Length is zero, the history attribute MUST be updated with a zero-length value.
If the Password-History-Length is nonzero, the associated password value MUST be placed at the beginning of the history attribute, and existing values MUST be shifted by 16 bytes to the right. If the size of the attribute exceeds Password-History-Length * 16, the attribute value MUST be truncated to not exceed Password-History-Length * 16 bytes.