[Samba] Domain Functionality Level and GPO password policies

Marc Muehlfeld mmuehlfeld at samba.org
Wed Oct 1 15:33:26 MDT 2014

Hello Neil,

Am 01.10.2014 um 14:33 schrieb Neil:
> I've been trying to work out how to set a GPO that allows certain
> Groups (Domain Users) a password expiry of 60 days and another group
> (Domain admins) an expiry of 30 days, but when looking through the
> Group Policy Manager I don't see how to achieve this.

You can't do this at the moment, because it has to be validated on the
domain controller(s) and Samba DCs don't know what to do with GPO.


> ...and I presume that if I increase this on my PDC I'll need to
> increase it on my other Samba4 domain controller that is replicating
> settings as well?

You raise the levels on one DC of your choice. The setting is stored
inside the AD. So the replication brings it automatically to each DC in
your domain/forest.

> Can I do this live while the servers are in use and should I expect
> any issues?

Yes, you can. The levels are just values in the AD. See:
For Samba they don't have a high weight at the moment. But if you're
having Windows servers in your forest, the levels allow new features (AD
recycle bin, etc.), but also exclude older Windows server versions from
being a DC in your domain/forest. So take my warning seriously: :-)



More information about the samba mailing list