sssd incorrectly permits login when no gpo found and ad_gpo_implicit_deny is set to True

Solution Unverified - Updated -


  • On a RHEL host running sssd connected to a Windows domain, it is possible for a user to login who should not be permitted login access.
  • The login is permitted despite ad_gpo_implicit_deny = True being set in sssd.conf.
  • If any GPO has been applied to the RHEL 8 host, regardless if it performs any sssd related changes, the login permissions function correctly and users who should not have access will be denied.


  • Red Hat Enterprise Linux (RHEL)
    • 7.9
    • 8.3
  • System Security Services Daemon (SSSD)
    • sssd-1.16.5-10.el7_9.7.x86_64
    • sssd-2.3.0-9.el8.x86_64

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In