Different group policies in one domain
It is possible that there are secondary GPOs in more specific deployments (for example, applying only to a specific group of computers) which have more strict password reset requirements.
I would recommend running gpresult
from a shell run with administrative privileges on the affected machine(s), to ascertain which GPOs were processed.
From a command line local to the machine: gpresult /h c:\temp\gpresult.html
and then inspect the resulting file gpresult.html
in a browser.
What you're looking for is the policy which has 'won' to set the password policy; do a search for 'password policy' and 'Maximum password age' on that page, to find the relevant policy, and check the 'Winning GPO' on the right hand side of the page corresponding to the value set which has overridden the globally-applicable policy you have noted in your question.
Only one GPO can set password policies for the domain and it must be linked to the domain. If you have multiple GPO's that set the password policy linked to the domain then the GPO with the highest precedence (lowest link order) is the winning GPO and is the one that is setting the password policy for the domain. Password policies in GPO's linked to OU's will not be applied. My guess is that you have Fine-Grained Password Policies in place. If this is the case then you should see the FGPP's that have been created under System|Password Settings Container
in Active Directory Users and Computers (you need to be viewing Advanced Features to see this).