Users who are prevented from logging in with a users.deny file still have a home directory created for them when they attempt to log in. This can cause compliance issues when it looks like a user has logged into a machine which they have never actually been allowed to log into.
The PAM configuration is set to create the home directories during the authentication part of the PAM stack, so even if the user is denied after authenticating, the home directory is still created.
Change the PAM configuration and remove the create_homedir option from the auth lines. There are only two places that PAM is told to create a home directory: the auth line and the session line; if the directory is not created at the time the user is authenticated, it will be created when the session is established. Denied users do not get sessions, therefore their home directories will not be created.
These auth lines may be just in /etc/pam.conf or may be in different files in /etc/pam.d/ depending on the Unix distribution.
The only time the auth line create_homedir is needed is if there is a login that doesn't require a session but still requires a homedir. These situations exist but seem to be rare.