[SSSD-users] Password expiration in AD with SSSD

Hi, I want to warn users when password expiration days are less than 14 days. I have GPO Default domain policy with this number of days. I have sssd.conf as: [sssd] domains = internal.domain.tld config_file_version = 2 services = nss, pam [domain/internal.domain.tld] cache_credentials = True debug_level = 6 id_provider = ad auth_provider = ad access_provider = ad default_shell = /bin/bash fallback_homedir = /home/%d/%u ldap_id_mapping = True ldap_schema = ad enumerate = True ad_site=internal1 ad_gpo_access_control = permissive ad_gpo_ignore_unreadable = True And pam.d as follow: #%PAM-1.0 auth sufficient pam_sss.so forward_pass auth required pam_unix.so try_first_pass nullok auth optional pam_permit.so auth required pam_env.so #auth requisite pam_deny.so account required pam_unix.so account [default=bad success=ok user_unknown=ignore] pam_sss.so account optional pam_permit.so account required pam_time.so password required pam_unix.so try_first_pass nullok sha512 shadow password sufficient pam_sss.so use_authok password optional pam_permit.so session required pam_mkhomedir.so skel=/etc/skel/ umask=0022 session required pam_limits.so session required pam_unix.so session optional pam_sss.so session optional pam_permit.so User has password valid till 20.02.2020 and yet I don't have any warning. I had to add ad_gpo_ignore_unreadable = True and ad_gpo_access_control = permissive to my config because without it I end up with "System error" during login and unsuccessful login. In gpo_cache I see Machine gpo with lines: [Registry Values] MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14 Any idea how to turn on this warning? Thanks for your help! ----- Best regards, Pawel