[Samba] Domain Functionality Level and GPO password policies

Ryan Ashley ryana at reachtechfp.com
Wed Oct 1 12:26:09 MDT 2014

My memory may be bad here, but I could swear I did this in a 2003 R2 
domain. Basically I set the default domain password settings in the 
default domain policy. Then I created a second GPO and linked it to an 
OU in the domain and it had separate password settings. It worked fine. 
This was prior to 2008 coming out.

On 10/01/2014 08:33 AM, Neil wrote:
> Hi guys,
> I've been trying to work out how to set a GPO that allows certain
> Groups (Domain Users) a password expiry of 60 days and another group
> (Domain admins) an expiry of 30 days, but when looking through the
> Group Policy Manager I don't see how to achieve this.
> After looking around online I stumbled across the domain Functionality
> Level which if I understand means that I have to increase it from 2003
> to 2008 in order to be able to allow this.
> Is this true, do I have to upgrade the level, or am I just missing the
> way to achieve the above?
> I see that ... https://wiki.samba.org/index.php/Raising_the_functional_levels#Impact_of_upgrading_the_functional_levels
> ...talks about the ensuring that your forest level isn't higher than
> your domain level so I'll set  them both to 2008 functionality, and I
> presume that if I increase this on my PDC I'll need to increase it on
> my other Samba4 domain controller that is replicating settings as
> well?
> Can I do this live while the servers are in use and should I expect any issues?
> Thanks, any help is greatly appreciated.
> Regards.
> Neil Wilson.

More information about the samba mailing list