Comment 16 for bug 1572908

According to man sssd-ad, the default configuration of sssd should allow cron jobs to be run:
---
       ad_gpo_map_batch (string)
           A comma-separated list of PAM service names for which GPO-based access control is evaluated based on the BatchLogonRight and DenyBatchLogonRight policy settings.

           Note: Using the Group Policy Management Editor this value is called "Allow log on as a batch job" and "Deny log on as a batch job".

           It is possible to add another PAM service name to the default set by using “+service_name” or to explicitly remove a PAM service name from the default set by using “-service_name”. For example, in order to replace a default PAM
           service name for this logon right (e.g. “crond”) with a custom pam service name (e.g. “my_pam_service”), you would use the following configuration:

               ad_gpo_map_batch = +my_pam_service, -crond

           Default: the default set of PAM service names includes:

           · crond
---

Could it be that the service name in Ubuntu differs from the configured service name (crond).

From the log:
Feb 8 10:40:01 host CRON[10308]: pam_sss(cron:account): Access denied for user someone: 6 (Permission denied)