I created a PSO with the following:
- 10 character min
- complex enabled
- max length 90 days
- enforce history 12
I then applied it to 10 test users.
On 5 users it worked perfectly, they had not changed their password in over 90 days and it required a min of 10 characters and complexity.
The other 5 users had changed their password a few days prior to the PSO be applied, their passwords were NOT 10 characters nor complex.
What didn't the last 5 have to change their password???