I have set the Max Password Age in the Default Domain Policy in Group Policy to 90 days, however it seems to be not taking effect and all users have to change their passwords after the default 42 days instead.
I have checked that the policy is giving read access to Authenticated Users, and that it is being applied to client machines and domain controllers using gpresult.
In fact I'm not sure if any of the settings are taking effect, since I also specify lockout after 5 invalid attempts, however I can still login after deliberately entering the wrong password more than 5 times.
I have checked that there are no other overriding policies.
All DCs are Windows 2012 and clients are mix of 7 and XP.