Hi, Is there any way to ignore AD disabled accounts by winbind, like ldap filter does? "(!(UserAccountControl:1.2.840.113556.1.4.803:=2))" with following settings. /etc/nsswitch.conf passwd: compat winbind group: compat winbind shadow: compat winbind /etc/pam.d/common-auth auth [success=2 default=ignore] pam_unix.so nullok_secure auth [success=1 default=ignore] pam_winbind.so krb5_auth krb5_ccache_type=FILE cached_login try_first_pass auth requisite pam_deny.so auth required pam_permit.so Windbind lookup does not recognize AD disabled account's status. Regards, Juri