sssd: Is there a way to force a specific shell for some group members?

One way to achieve this goal is to declare several domains, restricting the first ones to just the members of a given group.

[sssd]
config_file_version = 2
services = nss, pam
domains=DOMAIN_GROUP1,DOMAIN_GROUP2,DOMAIN

[nss]
default_shell = /bin/bash

[domain/DOMAIN_GROUP1]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Restrict to group members
ldap_user_search_base = DC=domain,DC=local?subtree?(memberOf=CN=group1,OU=Groups,DC=domain,DC=local)
# Shell
override_shell = /shell/path/for/group1
# Homedir
override_homedir = /home/%u

[domain/DOMAIN_GROUP2]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Restrict to group members
ldap_user_search_base = DC=domain,DC=local?subtree?(memberOf=CN=group2,OU=Groups,DC=domain,DC=local)
# Shell
override_shell = /shell/path/for/group2
# Homedir
override_homedir = /home/%u


[domain/DOMAIN]
id_provider = ad
# Domain
ad_domain = domain.local
# Servers
ad_server = dc01.domain.local,dc02.domain.local,dc03.domain.local
# Homedir
override_homedir = /home/%u

Members of group1 use /shell/path/for/group1, members of group2 use /shell/path/for/group2, all other DOMAIN users use /bin/bash

A downside is if a user is a member of both groups: it will always fall in the first "domain" DOMAIN_GROUP1.

EDIT: use of ldap_user_search_base instead of the deprecated ldap_user_search_filter. It should be working on newer versions of sssd.

You probably can't do it to a group, but you can change the shell per user in AD for SSSD. Go into the actual Object attributes using ADSI Edit and change the "loginShell" attribute for the user. Alternatively, you might look into using Puppet to bring GPO like stuff to Linux and perhaps manage it there (I'm not sure that is possible though).