Active Directory allows creating InitialContext with disabled account

Active Directory allows creating InitialContext with disabled account

I have problem implementing proper authentication based on Active
Directory (Windows Server 2008 R2) and Java.
The assumed flow is that when the account is disabled in AD (properties ¨
Account ¨ Account options ¨ "Account is disabled" checkbox), I should
get the following exception from AD when connecting using
com.sun.jndi.ldap.LdapCtxFactory:
[LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment:
AcceptSecurityContext error, data 533, v1db1
This 533 tells me that the account is locked/disabled. And it works fine -
at least in my dev environment. Enabling/disabling an account immediately
changes the authentication result.
It doesn't however work in production environment at customer's machine...
I can successfully create an InitialContext (no 533) but the search
operation a moment after this successful bind ends with error that I don't
have necessary authorization to perform lookup.
What to look for in Active Directory configuration? I don't have any
pooling and any AD replication...