In case you or your users get interrupted every couple of minutes with following error/report on your RHEL server during your SSH session or running crontab:

sssd[be[ngs2.local]]:Group Policy Container with DN [cn={xxxxxx-xxxxx-xxxx-xxxx-xxxxxxxxx},cn=policies,cn=system,DC=virtualinca,DC=lab] is unreadable or has unreadable or missing attributes. In order to fix this make sure that this AD object has following attributes readable: nTSecurityDescriptor, cn, gPCFileSysPath, gPCMachineExtensionNames, gPCFunctionalityVersion, flags. Alternatively if you do not have access to the server or can not change permissions on this object, you can use option ad_gpo_ignore_unreadable = True which will skip this GPO.See ‘man ad_gpo_ignore_unreadable for details.’

no need to worry, this is a non-critical error and can easily be fixed. Reason that is happening is that your AD contains a GPO which has not been fully configured for SSSD to be able to read.

First, try to resolve the error from within Active Directory by checking the listed GPO contains the following readable attributes:


Other solution is that you configure SSSD to ignore unreadable GPOs by adding following additional configuration option within the sssd.conf file using preffered text editor:

vi /etc/sssd/sssd.conf

and simply add ad_gpo_ignore_unreadable = True into the [domain/…] section:



ad_gpo_ignore_unreadable = True


and save the sssd.conf with wq! command.

After changing configuration file you can clear SSSD cache and restart SSSD service with following command:

systemctl stop sssd && rm -f /var/lib/sss/db* && systemctl start sssd