Why isn’t my new password policy GPO applying correctly?

Have you checked if it's applied correctly? Try running 'gpresult /h c:report.html' to see if the policy is applied or denied. It can give you insight into whether your settings are actually taking effect.

You're dealing with a specific scenario in Group Policy. For account policies (like password, lockout, etc.), they are only processed from the highest precedence GPO linked to the domain root. This means that even though your GPO applies later in the link order, domain account policies are evaluated differently, and the DDP ultimately takes precedence. If you want distinct password policies, consider using Fine-Grained Password Policies as that's the modern approach.

Remember, when you set a domain password policy, it affects the domain controllers. That's why users must meet those requirements since it's the domain that enforces the policies, not just the local machines. Setting policies on the Domain Controllers OU can change how they function, often in surprising ways!

Keep in mind, the password policy applies to the domain level rather than local accounts. The configurations affecting domain users are enforced by the domain controller, not the local machines.

The guideline to leave the Default Domain Policy untouched doesn't quite apply here. This best practice often leans more toward avoiding random changes to the DDP that would impact all users everywhere. Password policies are usually set at the domain controller level, so they need to be configured in the Default Domain Controllers Policy for proper application to users.