Does QAS/VAS enable control of password expiration, complexity, history, etc? How is this achieved?
All authentication and password changes for Active Directory users are done directly against Active Directory Domain Controllers using standard Kerberos protocols.
The Domain Controllers enforce account lockout, password complexity and history, and password expiration. The QAS client simply passes this information back to the users.
To display the rules from the domain from the QAS client you can use the vastool info adsecurity command.
Here is an example of the command and the output:
# /opt/quest/bin/vastool -u administrator info adsecurity -u <username>