anomaly with Granular Password Settings

New Contributor

We have our macs bound to AD (transitioning to NoMAD in the works). About 5 months ago we added a tiered password expiration based on password length using following article:

14 characters or longer get 365 days password expiration
all else 180 days

Now after 5 months users (with 14 character passwords) only upon reboot while directly connected to the network via ethernet are being prompted that their password is about to expire ( they seem to be getting the default AD password policy) citing 6 month expiration. This does not happen if the same user attempts to login to windows machine.

To debug this I plan to do the following:
- attempt to check/set the precedence level on the password policy's
- I've a startup application which does tcpdump before the user logs in - in order to capture any password expiration settings are exchanged.

Any thoughts?