This issue applies to Server 2003 schemas. Remember, your schema may be lower than your domain controller server version.
So you’re working through some policy issues and you find that your computer isn’t picking up the proper password policy that you’ve applied, even though your machine is definitely part of the OU where the GPO is linked. You do an RSOP and see that the resultant policy is not applied and can’t figure out why some things like password age or complexity are not being changed on the machine.
You’re going to need to apply all Kerberos, Password Settings, and Domain Security at the Domain level of the OUs in Active Directory. Reason being is that a long while back in the 2003 days there would be major conflicts if some machines had these settings different from one another if they were applied to different OUs. Nowadays this is no big deal, but if your schema is 2003, you’ll want to link your “General Password Settings” policy (or whatever you call it) to the domain instead of the OUs underneath the domain.
Do this, force an update to group policy, log off, then back on, and let me know if it finally changes for you.