Hi, The docs for ad_gpo_implicit_deny reads:
"Normally when no applicable GPOs are found the users are allowed access. When this option is set to True users will be allowed access only when explicitly allowed by a GPO rule. Otherwise users will be denied access. This can be used to harden security but be careful when using this option because it can deny access even to users in the built-in Administrators group if no GPO rules apply to them." In my case, there are GPOs found, it's just that none of them touches RemoteInteractiveLogonRight or DenyRemoteInteractiveLogonRight. Does ad_gpo_implicit_deny work in such a way that it's only effective when no (0) GPOs are found? That might explain the behaviour I'm seeing. If this is the case, I suggest that ad_gpo_implicit_deny should be effective also when none of the detected GPOs explicitly allows or denies remote logon. _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org