[SSSD-users] ad_gpo_default_right cannot make it work

Hello guys, All my sssd config is working fine, but for the last couple days I've been trying to make the ad_gpo works but have a weird issue I cannot fix Here is my sssd.conf [sssd] domains = glop.com config_file_version = 2 services = nss, pam [pam] pam_pwd_expiration_warning = 3 [domain/glop.com] debug_level = 8 ad_domain = glop.com krb5_realm = GLOP.COM realmd_tags = manages-system joined-with-samba cache_credentials = True krb5_store_password_if_offline = True default_shell = /bin/bash ldap_id_mapping = False use_fully_qualified_names = False fallback_homedir = /home/%u pwd_expiration_warning = 3 default_shell = /bin/bash dyndns_upadte = false id_provider = ad auth_provider = ad chpass_provider = ad access_provider = ad sudo_provider = ad ad_gpo_default_right = interactive #ad_gpo_map_type = permit ad_gpo_access_control = enforcing ad_gpo_implicit_deny = True ---------------- What ever settings I used in ad_gpo_default_right, does not seems to make a difference, in my sssd.log I always see [ad_gpo_access_check] (0x0400): RESULTANT POLICY: (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): gpo_map_type: Remote Interactive <=========== THIS IS MY PROBLEM (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): allowed_size = 0 (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): denied_size = 0 (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): CURRENT USER: (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): user_sid = S-1-5-21-1801037062-2975133201-2745703018-1106 (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): group_sids[0] = S-1-5-21-1801037062-2975133201-2745703018-1137 (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): group_sids[1] = S-1-5-21-1801037062-2975133201-2745703018-513 (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): group_sids[2] = S-1-5-11 (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): POLICY DECISION: (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): access_granted = 1 (Sun May 31 22:50:45 2020) [sssd[be[glop.com]]] [ad_gpo_access_check] (0x0400): access_denied = 0 My problem I believe is the first line 'gpo_map_type: Remote Interactive' My Windows Group Policy in windows is set with Allow log on locally => group_allowed Deny log on locally => group deny I have user1 member of group_allowed I have user2 member of group_deny At this point they can all logon, not what I expected :-( After a little bit of research, and because the log returns ' gpo_map_type: Remote Interactive' Instead of using the GPO settings: 'Allow log on locally & Deny log on locally', I then used the 'Allow log on Through remote desktop services & the Deny log on Through remote desktop services' And then everything works as expected so question : Why is it working with a GPO using the 'on Through Remote desktop' parameters, but not working with the 'Allow/Deny logon locally' is there a way to change: gpo_map_type: Remote Interactive to gpo_map_type: Interactive I have played with those 2 settings without success so far: ad_gpo_default_right = interactive ad_gpo_map_type = interactive Thanks for your help