Hello, I noticed some of our users having linux authentication issues recently. Upon further digging it happened when a GPO was applied to the same OU these linux servers belonged to. The debug logs said there was an error due to a missing equal sign. I tracked down the policy and looked at the ini file and instantly noticed it differed from the normal format.

Many of our GPOs are in the format of:

But this one was like:

The result was that access was denied to the user logging into the server. 

1.) Should SSSD be able to parse GPOs using the template of Microsofts SDDL (Security Descriptor Definition Language) ? 
2.) What options are available to restore access besides removing the GPO from the OU, or setting  ad_gpo_access_control to disabled or permissive?

Daniel Bryan
DevOps Engineer | Stratus Solutions