In *aaS situations the people maintaining a DC's smb.conf are not necessarily the ones maintaining the domain. It is tricky in this case for the list of schannel-less machines to be maintained in the smb.conf.
If the smb.conf could name a group to which only the insecure machines belonged, the domain admins could keep it current without bothering the lower level admins.
I'm imagining something like:
server schannel = yes
server require schannel:group:machines-without-schannel = no
would allow machines in the group "machines-without-schannel" to not use schannel.
(In reply to Douglas Bagnall from comment #0)
I'd do it via GPO's on windows, or specify the acl in SDDL in smb.conf.
The ACL could contain an ACE for a group.