[Samba] Domain Functionality Level and GPO password policies

Neil nwilson123 at gmail.com
Wed Oct 1 06:33:47 MDT 2014

Hi guys,

I've been trying to work out how to set a GPO that allows certain
Groups (Domain Users) a password expiry of 60 days and another group
(Domain admins) an expiry of 30 days, but when looking through the
Group Policy Manager I don't see how to achieve this.

After looking around online I stumbled across the domain Functionality
Level which if I understand means that I have to increase it from 2003
to 2008 in order to be able to allow this.

Is this true, do I have to upgrade the level, or am I just missing the
way to achieve the above?

I see that ... https://wiki.samba.org/index.php/Raising_the_functional_levels#Impact_of_upgrading_the_functional_levels

...talks about the ensuring that your forest level isn't higher than
your domain level so I'll set  them both to 2008 functionality, and I
presume that if I increase this on my PDC I'll need to increase it on
my other Samba4 domain controller that is replicating settings as

Can I do this live while the servers are in use and should I expect any issues?

Thanks, any help is greatly appreciated.


Neil Wilson.

More information about the samba mailing list