[Samba] Domain password policy with Samba AD DC

David Mulder dmulder at samba.org
Thu Sep 7 14:43:57 UTC 2023


On 9/7/23 3:22 AM, Peter Milesson via samba wrote:
>
> Now, things seem to clear a bit.
>
> Yesterday, I could still set passwords with length = 4 characters. 
> When letting everything "mature" overnight, the Default Domain Policy 
> seems to apply. Now, a minimum of 6 characters are required, and when 
> I run samba-tool domain passwordsettings, the parameter Minimum 
> password length = 6.
>
> Everything seems to be working, except for the fact, that gpupdate 
> /force in Windows does not immediately update the GPOs. If I run 
> samba-gpupdate --force, the altered GPO takes effect immediately, 
> however.
>
> So to summarize using GPME to update the GPO controlling password 
> policies:
>
>  *
>
>    Add apply group policies = yes in smb.conf (restart samba-ad-dc 
> service)
>
>  *
>
>    Log in as TESTDOM\\Administrator to a domain Windows PC with RSAT
>    tools installed
>
>  *
>
>    Edit the GPO Default Domain Policy/Computer
>    Configuration/Policies/Windows Settings/Security Settings/Account
>    Policies/Password Policy with GPME and close the GPME and GPMC
>
>  *
>
>    (Don't bother running gpupdate /force in Windows, it's got no effect
>    anyway)
>
>  *
>
>    If you want the changed GPO to take effekt immediately, run
>    samba-gpupdate --force on the DC, otherwise wait anything from 90 -
>    120 minutes.
>
Peter, would you be willing the update the wiki with instructions that 
helped you? You mentioned previously you were following some 
instructions that didn't mention how to set this up.

-- 
David Mulder
Labs Software Engineer, Samba
SUSE
1221 S Valley Grove Way, Suite 500
Pleasant Grove, UT 84062
(P)+1 385.208.2989
dmulder at suse.com
http://www.suse.com




More information about the samba mailing list