[Samba] Domain password policy with Samba AD DC

Peter Milesson miles at atmos.eu
Sat Aug 26 16:02:44 UTC 2023

Hi Anantha,

I now know (the hard way) that it's possible to manage the password 
policies with samba-tool. But through my futile trials and information 
on different web sites (very little documentation in the Samba wiki), it 
is evident that it's not possible using Group Policy Manager from the 
RSAT tool suite. IMHO, it's quite perplexing for a user that does not 
know Samba AD DC configuration extremely well.

If you have got a workaround, allowing the use of the RSAT Group Policy 
Manager, I, and probably many other, would be happy to get some 
information how this is done.

Thanks for your input.

Best regards,


On 26.08.2023 11:49, Peter Milesson via samba wrote:
> Hi folks,
> I just wonder why it is not possible to set domain password policies 
> with GPO, using the Windows RSAT Group Policy Manager? For most other 
> settings, using GPOs through RSAT works.
> For somebody who sets up a Samba AD DC infrequently, this is a huge 
> trap. There should be a very visible warning on the AD DC setup wiki 
> page, that you *must* setup password policies with samba-tool, if you 
> plan to change the default password policies (which I assume most will 
> do). It should also be very clearly noted that it is not possible to 
> do this with RSAT (as lots of people will try that anyway). This 
> warning should also be displayed on the Group Policy wiki page. If 
> there are other GPO policies that can not be set with RSAT, those 
> should also be listed.
> For those living with Samba daily, this may seem like nitpicking, but 
> for the administrator who wants to try Samba as an alternative to 
> Windows server, this could really be the brick wall that decides the 
> final decision.
> I'm just setting up a test domain for pre implementation testing, and 
> stumbled on this problem. As I frequently read the Samba list, I had a 
> feeling that I had seen some posts about this problem. Searching old 
> posts, I found enough information to make further searches, which 
> saved the better part of a day.
> IMHO, this is such a fundamental activity when setting up a new 
> domain, that it deserves to be clearly noted.
> I wish everybody a nice day,
> Peter

More information about the samba mailing list