Hi folks, I just wonder why it is not possible to set domain password policies with GPO, using the Windows RSAT Group Policy Manager? For most other settings, using GPOs through RSAT works. For somebody who sets up a Samba AD DC infrequently, this is a huge trap. There should be a very visible warning on the AD DC setup wiki page, that you *must* setup password policies with samba-tool, if you plan to change the default password policies (which I assume most will do). It should also be very clearly noted that it is not possible to do this with RSAT (as lots of people will try that anyway). This warning should also be displayed on the Group Policy wiki page. If there are other GPO policies that can not be set with RSAT, those should also be listed. For those living with Samba daily, this may seem like nitpicking, but for the administrator who wants to try Samba as an alternative to Windows server, this could really be the brick wall that decides the final decision. I'm just setting up a test domain for pre implementation testing, and stumbled on this problem. As I frequently read the Samba list, I had a feeling that I had seen some posts about this problem. Searching old posts, I found enough information to make further searches, which saved the better part of a day. IMHO, this is such a fundamental activity when setting up a new domain, that it deserves to be clearly noted. I wish everybody a nice day, Peter
Hi Anantha, I now know (the hard way) that it's possible to manage the password policies with samba-tool. But through my futile trials and information on different web sites (very little documentation in the Samba wiki), it is evident that it's not possible using Group Policy Manager from the RSAT tool suite. IMHO, it's quite perplexing for a user that does not know Samba AD DC configuration extremely well. If you have got a workaround, allowing the use of the RSAT Group Policy Manager, I, and probably many other, would be happy to get some information how this is done. Thanks for your input. Best regards, Peter On 26.08.2023 11:49, Peter Milesson via samba wrote:> Hi folks, > > I just wonder why it is not possible to set domain password policies > with GPO, using the Windows RSAT Group Policy Manager? For most other > settings, using GPOs through RSAT works. > > For somebody who sets up a Samba AD DC infrequently, this is a huge > trap. There should be a very visible warning on the AD DC setup wiki > page, that you *must* setup password policies with samba-tool, if you > plan to change the default password policies (which I assume most will > do). It should also be very clearly noted that it is not possible to > do this with RSAT (as lots of people will try that anyway). This > warning should also be displayed on the Group Policy wiki page. If > there are other GPO policies that can not be set with RSAT, those > should also be listed. > > For those living with Samba daily, this may seem like nitpicking, but > for the administrator who wants to try Samba as an alternative to > Windows server, this could really be the brick wall that decides the > final decision. > > I'm just setting up a test domain for pre implementation testing, and > stumbled on this problem. As I frequently read the Samba list, I had a > feeling that I had seen some posts about this problem. Searching old > posts, I found enough information to make further searches, which > saved the better part of a day. > > IMHO, this is such a fundamental activity when setting up a new > domain, that it deserves to be clearly noted. > > I wish everybody a nice day, > > Peter > >
On Sat, 2023-08-26 at 11:49 +0200, Peter Milesson via samba wrote:> Hi folks, > > I just wonder why it is not possible to set domain password policies > with GPO, using the Windows RSAT Group Policy Manager? For most > other > settings, using GPOs through RSAT works. > > For somebody who sets up a Samba AD DC infrequently, this is a huge > trap. There should be a very visible warning on the AD DC setup wiki > page, that you *must* setup password policies with samba-tool, if > you > plan to change the default password policies (which I assume most > will > do). It should also be very clearly noted that it is not possible to > do > this with RSAT (as lots of people will try that anyway). This > warning > should also be displayed on the Group Policy wiki page. If there are > other GPO policies that can not be set with RSAT, those should also > be > listed.Thanks Peter for reaching out on this, So, the challenge is that in the past, Samba didn't know how to read these, and the settings were just ignored. Now it can, but given there are now existing domains, which setting should be primary, the one in the DB or the one in the GPO? That is why the smb.conf setting "apply group policies" needs to be set to Yes if the GPO approach is to be taken. Feel free to ask for a wiki account to point out this if you feel it would be helpful. Andrew Bartlett -- Andrew Bartlett (he/him) https://samba.org/~abartlet/ Samba Team Member (since 2001) https://samba.org Samba Team Lead https://catalyst.net.nz/services/samba Catalyst.Net Ltd Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company Samba Development and Support: https://catalyst.net.nz/services/samba Catalyst IT - Expert Open Source Solutions