Are the GPOs for password maximum age and password minimum length enforced as soon as the policy is implemented or changed? Password complexity requirements are only enforced when passwords are created or changed, but it's not clear if that's true for other password characteristics:
TechNet article: Password must meet complexity requirements
"Complexity requirements are enforced when passwords are changed or created."
For example, let's say user John Smith's account was created before minimum length and maximum age GPOs were set, and he has a short password like "apple", and he's had it for 10 years (let's ignore complexity for now). If the GPOs are suddenly set to have a minimum length of 10 characters, and a max age of 90 days, will he immediately need to change his password at the next logon?