Josh Wisenbaker posted to the MacEnterprise list, explaining that global policy for pwpolicy probably only works with the Password Server in Open Directory. It apparently does not work in the DSLocal local directory service (Leopard and greater) or NetInfo (Tiger and lower). You instead need per-user password policies at the local level.
This fits in with my recollection of password policy. I wrote my first Python system administration script to set password policy in Tiger. (Yes, I wrote a huge script to run a single shell command. Error checking! I blame error checking for the length! Plus, I hadn’t yet learned about a number of helpful modules that would have been nice to use.)
And in the end, writing it didn’t really buy me anything because, as I recall, the policies I set didn’t seem to apply globally. Plus, when I did get pwpolicy to apply to individual users, it only controlled normal user accounts and not admin accounts. But, if you’re okay with those limitations, you can loop through your local users and set pwpolicy on them.
Fwiw, I have a number of feature requests in about pwpolicy at the local level, and controlling it from a network directory service. I think you, too, should file requests about this.
Update: I am told it worked in Tiger but not in Leopard. Specifically, the passwords expire but there’s no opportunity to change them at loginwindow when that happens.