I want to warn users when password expiration days are less than 14 days.

I have GPO Default domain policy with this number of days.
I have sssd.conf as:
domains = internal.domain.tld
config_file_version = 2
services = nss, pam

cache_credentials = True
debug_level = 6
id_provider = ad
auth_provider = ad
access_provider = ad

default_shell = /bin/bash
fallback_homedir = /home/%d/%u
ldap_id_mapping = True
ldap_schema = ad
enumerate = True
ad_gpo_access_control = permissive
ad_gpo_ignore_unreadable = True
And pam.d as follow:

auth      sufficient pam_sss.so forward_pass
auth      required   pam_unix.so     try_first_pass nullok
auth      optional    pam_permit.so
auth      required    pam_env.so
#auth      requisite    pam_deny.so

account   required    pam_unix.so
account   [default=bad success=ok user_unknown=ignore]  pam_sss.so
account   optional    pam_permit.so
account   required    pam_time.so

password  required    pam_unix.so     try_first_pass nullok sha512 shadow
password  sufficient                                    pam_sss.so use_authok
password  optional    pam_permit.so

session   required                                      pam_mkhomedir.so skel=/etc/skel/ umask=0022
session   required    pam_limits.so
session   required    pam_unix.so
session   optional    pam_sss.so
session   optional    pam_permit.so

User has password valid till 20.02.2020 and yet I don't have any warning.
I had to add ad_gpo_ignore_unreadable = True and ad_gpo_access_control = permissive to my config because without it I end up with "System error" during login and unsuccessful login.

In gpo_cache I see Machine gpo with lines:
[Registry Values]
MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\PasswordExpiryWarning=4,14

Any idea how to turn on this warning?

Thanks for your help!
Best regards,