Using the ldap plugin, because there are too many OUs in its own Active Directory, can you filter out an OU separately to log in without affecting other OUs to log in normally?
I think you want an exclude feature, right?
So every one can login except the one OU that you don’t want to log in?