This configuration parameter specifies the users that should be denied access to PAM-enabled applications. When this parameter is defined, only the listed users are denied access. All other users are allowed access.

If you want to use this parameter to control which users can log in, the users you specify should be valid Active Directory users that have been enabled for UNIX. If you specify local user accounts or invalid Active Directory user names, these entries are ignored.

In most cases, you set this configuration parameter using group policy. You can, however, set it manually in the configuration file if you are not using group policy or want to temporarily override group policy.

When a user attempts to log on or access a PAM-enabled service, the pam_ module checks the users specified by this parameter to see if the user is listed there. If the user is included in the list, the user is rejected and authentication fails. If the user is not listed, the user is accepted and authentication proceeds.

The parameter value can be one or more user names, separated by commas or spaces, or the file: keyword and a file location. For example, to prevent the user accounts starr and guestuser fcentrifydcrom logging on:

pam.deny.users: starr,guestuser

You can use the short format of the user name or the full canonical name of the user.

To enter user names with spaces, enclose them in double quotes; for example:

pam.deny.users: "sp1",,"sp2"

To specify a file that contains a list of the users that should be denied access:

pam.deny.users: file:/etc/centrifydc/users.deny

Note:   If a computer is configured to use Auto Zone without a zone, enter user names in the format specified by the parameter:

  • SAM (samAccountName — this is the default); for example: jcool
  • samAccountName@domain_name; for example:
  • NTLM; for example:

Note:   You can look in the centrifydc.conf configuration file for the value of, or run adquery user -n to see the UNIX name for any user. For example, to see the UNIX name for jcool (and SAM, the default, is set for, execute the following command, which returns the UNIX name as shown:

[root]#adquery user -n jcool

If this parameter is not defined in the configuration file, no user filtering is performed.

Note:   If you make changes to this parameter, you should run adflush to clear the cache to ensure your changes take effect.