I'm trying to set up a PSO that uses a separate set of password policies for certain users with higher security requirements. I've followed the guide for doing this found here: http://www.windowsecurity.com/articles/Configuring-Granular-Password-Settings-Windows-Server-2008-Part-1.html
My environment contains 2 Windows Server 2003 DCs that share the FSMO roles, and another Windows Server 2008 DC that has the Global Catalog. One of the Server 2003 (the Domain Naming and Schema Master) DCs is also a Global Catalog server.
I have created a PSO with the settings I want and applied it to the Group I want it to effect. I confirmed that the group has the msDS-PSOApplied setting set pointing to my PSO as well as confirmed that the msDS-PSOAppliesTo setting on the PSO itself contains my group. I also added a specific user account to the msDS-PSOAppliesTo setting and it still does not work.
When I log in as a user who is supposed to be getting these settings, I am still allowed to change my password to something with only 4 chars (minimum is 8 on my PSO).
Does anybody have any idea why this might not be working? Thank you.