[Samba] Domain Functionality Level and GPO password policies

[Neil]

Hi Marc and Ryan,

Thanks very much for the responses.
So there's basically no way to allow one group one set of password
expiry options and another group another set of options?

Do you know if this is going to be allowed/added in at a later stage ?

Thanks.

Regards.

Neil Wilson.



On Wed, Oct 1, 2014 at 11:33 PM, Marc Muehlfeld <mmuehlfeld at samba.org> wrote:
> Hello Neil,
>
> Am 01.10.2014 um 14:33 schrieb Neil:
>> I've been trying to work out how to set a GPO that allows certain
>> Groups (Domain Users) a password expiry of 60 days and another group
>> (Domain admins) an expiry of 30 days, but when looking through the
>> Group Policy Manager I don't see how to achieve this.
>
> You can't do this at the moment, because it has to be validated on the
> domain controller(s) and Samba DCs don't know what to do with GPO.
>
> https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F
>
>
>
>
>> ...and I presume that if I increase this on my PDC I'll need to
>> increase it on my other Samba4 domain controller that is replicating
>> settings as well?
>
> You raise the levels on one DC of your choice. The setting is stored
> inside the AD. So the replication brings it automatically to each DC in
> your domain/forest.
>
>
>
>
>> Can I do this live while the servers are in use and should I expect
>> any issues?
>
> Yes, you can. The levels are just values in the AD. See:
> http://eightwone.com/references/ad-functional-levels/
> For Samba they don't have a high weight at the moment. But if you're
> having Windows servers in your forest, the levels allow new features (AD
> recycle bin, etc.), but also exclude older Windows server versions from
> being a DC in your domain/forest. So take my warning seriously: :-)
>
> https://wiki.samba.org/index.php/Raising_the_functional_levels#Impact_of_upgrading_the_functional_levels
>
>
>
> Regards,
> Marc
>