The invention describes techniques for enforcing password policy within a distributed directory environment that includes one or more distributed directory servers and a proxy server that acts as an intermediate agent between a client and the distributed directory environment. In one aspect, the proxy server is enhanced to support the passing (from the backend server to the client) of password policy controls. In particular, controls returned from a backend server are parsed and cached (for re-use) for the life of a given client connection. According to another aspect, the proxy server ensures that all compare operations for a single user's password are directed to the same backend server in the distributed directory environment. This insures that a user's most current password is used, and that failed operation counts, resets and operational attributes are up-to-date. According to still another aspect, the proxy server enforces password policy on bind plug-ins and, in particular, through a pair of pre-bind and post-bind extended operations. In particular, pre-bind processing includes checking if an account is locked. Post-bind processing includes checking for expired passwords, grace logins and updating failed/successful bind counters.