diff --git a/selftest/knownfail.d/password_settings b/selftest/knownfail.d/password_settings
new file mode 100644
index 00000000000..bbca928b0d4
--- /dev/null
+++ b/selftest/knownfail.d/password_settings
@@ -0,0 +1,3 @@
+# highlights a minor corner-case discrepancy between Windows and Samba
+samba4.ldap.password_settings.python.password_settings.PasswordSettingsTestCase.test_domain_pwd_history_zero\(ad_dc_ntvfs\)
+
diff --git a/source4/dsdb/tests/python/password_settings.py b/source4/dsdb/tests/python/password_settings.py
index 7712d241597..a5de7fffd69 100644
--- a/source4/dsdb/tests/python/password_settings.py
+++ b/source4/dsdb/tests/python/password_settings.py
@@ -794,4 +794,66 @@ unicodePwd:: %s
 """ % (userdn, password)
         self.ldb.modify_ldif(ldif)
 
+    def set_domain_pwdHistoryLength(self, value):
+        m = ldb.Message()
+        m.dn = ldb.Dn(self.ldb, self.ldb.domain_dn())
+        m["pwdHistoryLength"] = ldb.MessageElement(value, ldb.FLAG_MOD_REPLACE, "pwdHistoryLength")
+        self.ldb.modify(m)
+
+    def test_domain_pwd_history(self):
+        """Non-PSO test for domain's pwdHistoryLength setting"""
+
+        # restore the current pwdHistoryLength setting after the test completes
+        curr_hist_len = str(self.pwd_defaults.history_len)
+        self.addCleanup(self.set_domain_pwdHistoryLength, curr_hist_len)
+
+        self.set_domain_pwdHistoryLength("4")
+        user = self.add_user("testuser")
+
+        initial_pwd = user.get_password()
+        passwords = ["First12#", "Second12#", "Third12#", "Fourth12#"]
+
+        # we should be able to set the password to new values OK
+        for pwd in passwords:
+            self.assert_password_valid(user, pwd)
+
+        # the 2nd time round it should fail because they're in the history now
+        for pwd in passwords:
+            self.assert_password_invalid(user, pwd)
+
+        # but the initial password is now outside the history, so should be OK
+        self.assert_password_valid(user, initial_pwd)
+
+        # if we set the history to zero, all the old passwords should now be OK
+        self.set_domain_pwdHistoryLength("0")
+        for pwd in passwords:
+            self.assert_password_valid(user, pwd)
+
+    def test_domain_pwd_history_zero(self):
+        """Non-PSO test for pwdHistoryLength going from zero to non-zero"""
+
+        # restore the current pwdHistoryLength setting after the test completes
+        curr_hist_len = str(self.pwd_defaults.history_len)
+        self.addCleanup(self.set_domain_pwdHistoryLength, curr_hist_len)
+
+        self.set_domain_pwdHistoryLength("0")
+        user = self.add_user("testuser")
+
+        initial_pwd = user.get_password()
+        self.assert_password_valid(user, "NewPwd12#")
+        # we can set the exact same password again because there's no history
+        self.assert_password_valid(user, "NewPwd12#")
+
+        # There is a difference in behaviour here between Windows and Samba.
+        # When going from zero to non-zero password-history, Windows treats
+        # the current user's password as invalid (even though the password has
+        # not been altered since the setting changed). Whereas Samba accepts
+        # the current password (because it's not in the history until the
+        # *next* time the user's password changes.
+        self.set_domain_pwdHistoryLength("1")
+        self.assert_password_invalid(user, "NewPwd12#")
+
+
+
+