I could be mistaken but from powershell you can try to identify the GPO you are having the problem with, then manage with RSAT:
Get-GPO -Guid 4238D218-9575-4AB4-B407-68C71366834F -Domain "avion.lan"
The other option about ignoring the GPO (if it really isn’t applicable):
ad_gpo_ignore_unreadablewas added. This option, which defaults to false, can be used to ignore group policy containers in AD with unreadable or missing attributes. This is for the case when server contains GPOs that have very strict permissions on their attributes in AD but are unrelated to access control (#3867)
ad_gpo_ignore_unreadable (boolean)
Normally when some group policy containers (AD object) of applicable group policy objects are not readable by SSSD then users are denied access. This option allows to ignore group policy containers and with them associated policies if their attributes in group policy containers are not readable for SSSD.
Default: False
it is supposed to go in the corresponding domain section of sssd.conf
https://www.pagure.io/SSSD/sssd/issue/4133#comment-625772
https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.org/thread/WGM7Q3TGUR7T3XIGDJNKDMMJGBPU23YD/
Info available to RedHat Subscribers: SSSD reports: Group Policy Container is unreadable or has unreadable or missing attributes - Red Hat Customer Portal