In *aaS situations the people maintaining a DC's smb.conf are not necessarily the ones maintaining the domain. It is tricky in this case for the list of schannel-less machines to be maintained in the smb.conf. If the smb.conf could name a group to which only the insecure machines belonged, the domain admins could keep it current without bothering the lower level admins. I'm imagining something like: server schannel = yes server require schannel:group:machines-without-schannel = no would allow machines in the group "machines-without-schannel" to not use schannel.
(In reply to Douglas Bagnall from comment #0) I'd do it via GPO's on windows, or specify the acl in SDDL in smb.conf. The ACL could contain an ACE for a group.