If you use pam_ldap to authenticate against Active Directory you may have a problem you never thought of. You may be allowing disabled accounts access to your system. Use the following filter to exclude disabled accounts. The filter looks at the userAccountControl field which is a bit field. It checks the single bit that determines if an account is enabled or disabled. This snippet belongs in /etc/pam_ldap.conf.
On second thought this might not be desirable. This will filter out disabled accounts making them appear as though they do not exist which is different than being disabled.