I'm currently using samba4 as an AD DC (domain and forest are both configured with the samba-tool command to be at the 2008_R2 functional level) for both Windows and Linux systems. I've got the default password settings set using the "samba-tool domain passwordsettings" command and I have all the GPOs configured as I need them for clients. However, I would like to configure how the account lockout functions for the domain accounts. I read that there isn't currently support for server side GPOs, so I'm not certain how to configure this, or if its even possible. To be clear, I'm using Zentyal 3.0 (distro built from Ubuntu 12.04) which has a pre-built "zentyal-samba" package installed but from what I can tell it's just samba4.0 (that's what it tells me when I use samba --version) What I've tried thus far: 1. Use testparm -v to get a complete list of all possible smb.conf values - didn't see much in there 2. Manually edit the account_policy.tdb database within the samba folder identified in the current smb.conf file with tdbtool - it looks like there ARE settings here that might apply, but for some reason changes aren't being reflected. For example, when I use the samba-tool domain passwordsettings set --min-pwd-age=5 the account_policy.tdb key corresponding to pass min age does NOT get updated, but I have validated that the changes DO take immediate effect. Maybe the account_policy.tdb file is legacy and not used when the active role is DC with a 2008_R2 functional level? My question with respect to samba is two fold: is it even POSSIBLE to have samba detect multiple failed login attempts and "lock" an account once a certain threshold has been reached and if so how is that configured? Thanks so much for any information you can provide! -Chris Stoneburner