I have been trying to get my head around this for a while, but it seems like I am overseeing something.
We started to configure this on SLES 11 SP3, and have it mitigated to SLES 12 as well.
What I am seeing is that any valid AD member is allowed to logon to the servers, there are no restrictions.
When we came up with this configuration I am sure it worked, but I might not remember correctly, or have tested it thoroughly enough.
Here is the output of my PAM files:
# 2014 - Configuration file modified for AD Authentication