[Samba] Domain password policy with Samba AD DC

Peter Milesson miles at atmos.eu
Sat Aug 26 09:49:11 UTC 2023

Hi folks,

I just wonder why it is not possible to set domain password policies 
with GPO, using the Windows RSAT Group Policy Manager? For most other 
settings, using GPOs through RSAT works.

For somebody who sets up a Samba AD DC infrequently, this is a huge 
trap. There should be a very visible warning on the AD DC setup wiki 
page, that you *must* setup password policies with samba-tool, if you 
plan to change the default password policies (which I assume most will 
do). It should also be very clearly noted that it is not possible to do 
this with RSAT (as lots of people will try that anyway). This warning 
should also be displayed on the Group Policy wiki page. If there are 
other GPO policies that can not be set with RSAT, those should also be 

For those living with Samba daily, this may seem like nitpicking, but 
for the administrator who wants to try Samba as an alternative to 
Windows server, this could really be the brick wall that decides the 
final decision.

I'm just setting up a test domain for pre implementation testing, and 
stumbled on this problem. As I frequently read the Samba list, I had a 
feeling that I had seen some posts about this problem. Searching old 
posts, I found enough information to make further searches, which saved 
the better part of a day.

IMHO, this is such a fundamental activity when setting up a new domain, 
that it deserves to be clearly noted.

I wish everybody a nice day,


More information about the samba mailing list