OSX pulls wrong PSO from Active Directory

Hello,

I've created a password policy of 180 days max password age (among other settings) in a blended Windows and OSX Active Directory environment. It is applied to a security group that all my employees have been added to. The priority of this PSO is 1. To trigger the policy, I've been forcing users to change their password at next login in AD, by department. The Windows users seem to be fine. But now, my OSX users are being told that their password expires in 28 days, 25 days, etc. at login. After doing the math, this lines up with the default domain policy of 42 days (if max password age is not defined).

To troubleshoot, I had a few of my OSX users install ADPassMon:

https://yourmacguy.wordpress.com/adpassmon/

on their machines. This displays the number of days left until their password expires in their menu bar. The value here is correct, and shows values like 164 days, 160 days, etc.

I have also verified that a "dsget user <User-DN> -effectivepso" on any of the users in question

shows that the PSO I created is the effective one.

So it would appear that OSX is pulling the default domain policy from AD instead of the password policy I created, at least at the login page. Does anyone know where OSX queries AD for this information, or where it stores it, and if there is a way to change it? This is only affecting my mac users.

Thanks!