Hi Jacub,

Hi Koen, I don't have a complete answer, but I'll try to help and maybe we can work out some details. First, do you have an actual AD server around to test with? In the past we've seen bugs with Samba that didn't occur with AD and I'm not sure if anyone tried the GPO integration with Samba.. The SSSD version you're running is pretty recent, the only GPO-related bug after the 1.12.3 release was https://fedorahosted.org/sssd/ticket/2543
Pretty sure it has nothing to do with unresolvable LDAP uri :-)

I don't have a Windows AD, but I can definitely try to set up one on our test environment.

But that s gonna take some time.

I would advice against enumerate=True in large environments.
We dont have a large environment, and I put it there, on purpose, to see if it worked :-)
Once I have everything working as it should I will revise the settings before I deploy it on all our linux machines.

You can drop ldap_schema=ad, it's already the default for id_provider=ad
OK good to know, thanks for that !

Can you confirm that the GUIDs of the GPOs SSSD downloads correspond to
those you defined on the sever side?

[root@pdc Policies]# ls
{31B2F340-016D-11D2-945F-00C04FB984F9}  - This is the Default Policy ( empty )
{691A69C9-FEF3-4A42-8129-64E8741F9D2C}  - Other Policy, not for this OU
{6AC1786C-016F-11D2-945F-00C04FB984F9}  - Same
{D49E3752-2ECB-42F6-A418-2AE1F3092929}  - This is the Policy containing the deny rules for user Testuser (Deny log on locally and Deny log on through Remote Desktop )
{E55C6360-FBC1-485A-8EFF-A7D9392514D2} - Other Policy, not for this OU
Note that func_versions is 2 and flags is 0, same for the other GPO.
What does that mean? :-)

OK, access was denied but since both the flags and the func_version were
value we expect, I presume the code made it all the way to
ad_gpo_evaluate_ace() where the GPO is really evaluated. Unfortunately
there's not much logging there. I wonder if the GUIDs are correct? If
so, we can proceed with debugging, maybe with some instrumented build..

There is one SID I cant figure out: [ad_gpo_parse_machine_ext_names] (0x4000): gpo_cse_guids[0] is {827D319E-6EAC-11D2-A4EA-00C04F79F83A} 
btw did you also try the other way around, only allow access? 
Yes, same issue

Regards and thanks for the help!, Koen