[Samba] Domain Functionality Level and GPO password policies
Ryan Ashley
ryana at reachtechfp.com
Wed Oct 1 12:26:09 MDT 2014
My memory may be bad here, but I could swear I did this in a 2003 R2
domain. Basically I set the default domain password settings in the
default domain policy. Then I created a second GPO and linked it to an
OU in the domain and it had separate password settings. It worked fine.
This was prior to 2008 coming out.
On 10/01/2014 08:33 AM, Neil wrote:
> Hi guys,
>
> I've been trying to work out how to set a GPO that allows certain
> Groups (Domain Users) a password expiry of 60 days and another group
> (Domain admins) an expiry of 30 days, but when looking through the
> Group Policy Manager I don't see how to achieve this.
>
> After looking around online I stumbled across the domain Functionality
> Level which if I understand means that I have to increase it from 2003
> to 2008 in order to be able to allow this.
>
> Is this true, do I have to upgrade the level, or am I just missing the
> way to achieve the above?
>
> I see that ... https://wiki.samba.org/index.php/Raising_the_functional_levels#Impact_of_upgrading_the_functional_levels
>
> ...talks about the ensuring that your forest level isn't higher than
> your domain level so I'll set them both to 2008 functionality, and I
> presume that if I increase this on my PDC I'll need to increase it on
> my other Samba4 domain controller that is replicating settings as
> well?
>
> Can I do this live while the servers are in use and should I expect any issues?
>
> Thanks, any help is greatly appreciated.
>
> Regards.
>
> Neil Wilson.
More information about the samba
mailing list