samba - Oct 2014 - Domain Functionality Level and GPO password policies

Hi guys,

I've been trying to work out how to set a GPO that allows certain
Groups (Domain Users) a password expiry of 60 days and another group
(Domain admins) an expiry of 30 days, but when looking through the
Group Policy Manager I don't see how to achieve this.

After looking around online I stumbled across the domain Functionality
Level which if I understand means that I have to increase it from 2003
to 2008 in order to be able to allow this.

Is this true, do I have to upgrade the level, or am I just missing the
way to achieve the above?

I see that ...
https://wiki.samba.org/index.php/Raising_the_functional_levels#Impact_of_upgrading_the_functional_levels

...talks about the ensuring that your forest level isn't higher than
your domain level so I'll set  them both to 2008 functionality, and I
presume that if I increase this on my PDC I'll need to increase it on
my other Samba4 domain controller that is replicating settings as
well?

Can I do this live while the servers are in use and should I expect any issues?

Thanks, any help is greatly appreciated.

Regards.

Neil Wilson.

My memory may be bad here, but I could swear I did this in a 2003 R2 
domain. Basically I set the default domain password settings in the 
default domain policy. Then I created a second GPO and linked it to an 
OU in the domain and it had separate password settings. It worked fine. 
This was prior to 2008 coming out.

On 10/01/2014 08:33 AM, Neil wrote:
> Hi guys,
>
> I've been trying to work out how to set a GPO that allows certain
> Groups (Domain Users) a password expiry of 60 days and another group
> (Domain admins) an expiry of 30 days, but when looking through the
> Group Policy Manager I don't see how to achieve this.
>
> After looking around online I stumbled across the domain Functionality
> Level which if I understand means that I have to increase it from 2003
> to 2008 in order to be able to allow this.
>
> Is this true, do I have to upgrade the level, or am I just missing the
> way to achieve the above?
>
> I see that ...
https://wiki.samba.org/index.php/Raising_the_functional_levels#Impact_of_upgrading_the_functional_levels
>
> ...talks about the ensuring that your forest level isn't higher than
> your domain level so I'll set  them both to 2008 functionality, and I
> presume that if I increase this on my PDC I'll need to increase it on
> my other Samba4 domain controller that is replicating settings as
> well?
>
> Can I do this live while the servers are in use and should I expect any
issues?
>
> Thanks, any help is greatly appreciated.
>
> Regards.
>
> Neil Wilson.

Hello Neil,

Am 01.10.2014 um 14:33 schrieb Neil:
> I've been trying to work out how to set a GPO that allows certain
> Groups (Domain Users) a password expiry of 60 days and another group
> (Domain admins) an expiry of 30 days, but when looking through the
> Group Policy Manager I don't see how to achieve this.
You can't do this at the moment, because it has to be validated on the
domain controller(s) and Samba DCs don't know what to do with GPO.

https://wiki.samba.org/index.php/FAQ#Is_it_possible_to_set_user_specific_password_policies_in_Samba4_.28e._g._on_a_OU-base.29.3F



> ...and I presume that if I increase this on my PDC I'll need to
> increase it on my other Samba4 domain controller that is replicating
> settings as well?
You raise the levels on one DC of your choice. The setting is stored
inside the AD. So the replication brings it automatically to each DC in
your domain/forest.



> Can I do this live while the servers are in use and should I expect
> any issues?
Yes, you can. The levels are just values in the AD. See:
http://eightwone.com/references/ad-functional-levels/
For Samba they don't have a high weight at the moment. But if you're
having Windows servers in your forest, the levels allow new features (AD
recycle bin, etc.), but also exclude older Windows server versions from
being a DC in your domain/forest. So take my warning seriously: :-)

https://wiki.samba.org/index.php/Raising_the_functional_levels#Impact_of_upgrading_the_functional_levels



Regards,
Marc