I assume it's private server not a shared resource, so he can decide his own password policy.
As Lugh pointed out, mandatory password change does not improve security - even the NIST no longer...