Problems with pam_nologin.so

[Hebenstreit, Michael]

I'm sorry to hit the entire list with this question but after some hours research I'm still unable to find a solution to my problem. I need a way to allow certain users (eg the administrators) access to a system even when /etc/nologin is present. The orginal Redhat 5 config read like:
 
  auth       include      system-auth
  account    required     pam_nologin.so
  account    include      system-auth
  ....
 
with system-auth containing 
 
  ...
  account     required      pam_unix.so
  account     sufficient    pam_succeed_if.so uid < 500 quiet
  account     required      pam_permit.so
  ...
 
My modification would be:
 
  #%PAM-1.0
  auth       include      system-auth
  account    include      system-auth
  account    sufficient   pam_listfile.so onerr=fail item=user sense=allow file=/etc/admins
  account    required     pam_nologin.so
  ....
 
Which holes do I open by moving pam_nologin.so to the end of the stack? Are there better ways to reach my goal?
 
thanks for any help 
Michael
 
 
------------------------------------------------------------------------
Michael Hebenstreit                 Senior Cluster Architect
Intel Corporation                   Software and Services Group/DRD
2800 N Center Dr, DP3-307           Tel.:   +1 253 371 3144
WA 98327, DuPont           
UNITED STATES                       E-mail: michael.hebenstreit at intel.com