Disabled Active Directory users

Hi, I work for a University computing lab. We currently have a small (16 machine) Mac Lab that logs on to Active Directory, using Apple's Active Directory plug in. My problem is that if a student causes trouble, we have a system that disables his or her account. The thing is, I tried it out on the Macs today. I disabled my own (non admin) account and tried to log in. I was able to log in. I have a few questions: Does the Active Directory plug in on the Mac handle disabled users correctly by default (apparantly not, judging by my experience)? If it doesn't, is there any way I can configure it to do this? Is there any other way I can do this? Such as writing a log in script that checks if the user is disabled and logs him or her out? Sadly, I don't think I'll be able to get my boss to commit to spending money on third-party authentication products, such as "AdmitMac".