Using user validation filters
A user validation filter is applied to a search query of the distinguished name of a user. If an account is disabled, locked, or not authorized to log on, the query must return empty results. The filter should check schema specific attributes for values that indicate an account is not in good standing. If a custom validation filter is not defined, the Authentication Service can only verify whether a user account still exists. The Authentication Service cannot determine, for example, whether the account has been locked. User validation filters must be properly formatted LDAP search filters. See below for descriptions of some common validation filters.
Directory servers enforce different access controls on user account attributes. A directory server might allow anonymous connections to browse user account data, but a directory server typically restricts access to attributes that indicate whether an account is disabled. In order to take advantage of a custom user validation filter, the Authentication Service must log on to the directory server with a privileged account. The name and password of the privileged account are defined by the LDAP DefaultUser and LDAP DefaultPassword settings. If you are not employing user validation filters and your directory server allows anonymous connections, you do not need to define a default LDAP user and password.