Ok, thanks, that explains it.
All I want is a way to make sure that a user, which I have not explicitly allowed access,
is denied. In other words... default behaviour for all logins should always be DENY,
regardless of number of GPOs found. Obviously, a GPO that does contain access control
rules should override this default behavior.
Right now we are forced to fall back to either "access_provider=simple" or
"ad_access_filter" just to make sure that the default behavior for logins are
DENY, which unfortunately defeats the whole idea of using GPO for access control.
Any advice on how to achieve my desired functionality is appreciated.
Thanks!