We have a PDC and BDC with Samba 3.0.23a and an LDAP backend. The "refuse machine password change" policy was set on both (and both restarted). Computers on that domain seem to ignore the setting, as confirmed both by a packet capture and by looking at it in the backend. Is the policy fully supported in Samba? Any ideas? Thanks!