I have modified the Default Domain Policy to have a Max Password Age of 90 days (Winserver 2012). I have inheritance blocked on the DC OU and my Server OU, but the Default Domain Policy is linked to both and is only below the Default Domain Controller Policy in precedence. If I run the Group Policy Results wizard on a workstation and a normal user, I see the GPO that states max password age is 90 days. I've also run "rsop" on the actual workstation and I see the same results (90 days).
However, if I run "net user username /domain" on the workstation, I see a "Password expires" date 42 days in the future on a freshly changed password.
Who do I believe and/or what do I do to fix it?