There is a bug that 2019 server AD with a domain level of 2012R2 is ignoring the Password Policy settings.

Running RSOP on the domain controller is return the Password Policy and Account Lockout Policy as Not Defined.
I set my domain password policy to minimum of 10 characters but I was able to create a user with 4 characters and even to change the password to a shorter password. I was able to do it only on the AD and when I run RSOP on my win 10 laptop I was able to see policy.
I installed a new environment of 2019 AD server with DC level of 2012R2 and I saw the issue. When I checked it on another new environment of 2019 AD server with a domain level of 2016 the policy worked fine.