As johannes-martin pointed out default value for ad_gpo_map_batch doesn't work on Ubuntu Xenial and newer because cron service runs as cron not crond.
Solution to this issue would be listing cron as PAM service name and restarting sssd. ad_gpo_map_batch = +cron -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1572908 Title: sssd-ad pam_sss(cron:account): Access denied for user To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/sssd/+bug/1572908/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs