In this post we are going to talk about password policies further and cover off what appears to be a bug but is actually "by design".
My customer had a handful of domain controllers with a single 2008 R2 domain controller and three Server 2012 R2 domain controllers. The PDC Emulator resides on Server 2008 R2.
The Server 2008 R2 domain controller was applying the password policy correctly however the 2012 R2 domain controllers were not (or so I thought).
Running an rsop.msc on the 2008 R2 domain controller (the PDC) shows the policy being applied from the Default Domain Policy.
The same was experienced running an "gpresult /v" on the 2008 R2 or 2012 R2 domain controllers.
"gpresult /v" on 2008 R2:
- net accounts (checks local password policies on a server)
- net accounts /domain (checks the domain password policy on a server)