Hi guys, I've been trying to work out how to set a GPO that allows certain Groups (Domain Users) a password expiry of 60 days and another group (Domain admins) an expiry of 30 days, but when looking through the Group Policy Manager I don't see how to achieve this. After looking around online I stumbled across the domain Functionality Level which if I understand means that I have to increase it from 2003 to 2008 in order to be able to allow this. Is this true, do I have to upgrade the level, or am I just missing the way to achieve the above? I see that ... https://wiki.samba.org/index.php/Raising_the_functional_levels#Impact_of_upgrading_the_functional_levels ...talks about the ensuring that your forest level isn't higher than your domain level so I'll set them both to 2008 functionality, and I presume that if I increase this on my PDC I'll need to increase it on my other Samba4 domain controller that is replicating settings as well? Can I do this live while the servers are in use and should I expect any issues? Thanks, any help is greatly appreciated. Regards. Neil Wilson.
Ryan Ashley
2014-Oct-01 18:26 UTC
[Samba] Domain Functionality Level and GPO password policies
My memory may be bad here, but I could swear I did this in a 2003 R2 domain. Basically I set the default domain password settings in the default domain policy. Then I created a second GPO and linked it to an OU in the domain and it had separate password settings. It worked fine. This was prior to 2008 coming out. On 10/01/2014 08:33 AM, Neil wrote:> Hi guys, > > I've been trying to work out how to set a GPO that allows certain > Groups (Domain Users) a password expiry of 60 days and another group > (Domain admins) an expiry of 30 days, but when looking through the > Group Policy Manager I don't see how to achieve this. > > After looking around online I stumbled across the domain Functionality > Level which if I understand means that I have to increase it from 2003 > to 2008 in order to be able to allow this. > > Is this true, do I have to upgrade the level, or am I just missing the > way to achieve the above? > > I see that ... https://wiki.samba.org/index.php/Raising_the_functional_levels#Impact_of_upgrading_the_functional_levels > > ...talks about the ensuring that your forest level isn't higher than > your domain level so I'll set them both to 2008 functionality, and I > presume that if I increase this on my PDC I'll need to increase it on > my other Samba4 domain controller that is replicating settings as > well? > > Can I do this live while the servers are in use and should I expect any issues? > > Thanks, any help is greatly appreciated. > > Regards. > > Neil Wilson.
Marc Muehlfeld
2014-Oct-01 21:33 UTC
[Samba] Domain Functionality Level and GPO password policies
Hello Neil, Am 01.10.2014 um 14:33 schrieb Neil:> I've been trying to work out how to set a GPO that allows certain > Groups (Domain Users) a password expiry of 60 days and another group > (Domain admins) an expiry of 30 days, but when looking through the > Group Policy Manager I don't see how to achieve this.You can't do this at the moment, because it has to be validated on the domain controller(s) and Samba DCs don't know what to do with GPO. https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F> ...and I presume that if I increase this on my PDC I'll need to > increase it on my other Samba4 domain controller that is replicating > settings as well?You raise the levels on one DC of your choice. The setting is stored inside the AD. So the replication brings it automatically to each DC in your domain/forest.> Can I do this live while the servers are in use and should I expect > any issues?Yes, you can. The levels are just values in the AD. See: http://eightwone.com/references/ad-functional-levels/ For Samba they don't have a high weight at the moment. But if you're having Windows servers in your forest, the levels allow new features (AD recycle bin, etc.), but also exclude older Windows server versions from being a DC in your domain/forest. So take my warning seriously: :-) https://wiki.samba.org/index.php/Raising_the_functional_levels#Impact_of_upgrading_the_functional_levels Regards, Marc