The usual LDAP query to import user profiles from AD into MOSS is:
The downside of this query is that you are also going to get your service accounts and any disabled accounts imported as well. This creates a lot of unnecessary clutter in people searches and greatly reduces the effectiveness of the people search scope.
To remove these accounts use the following:
- (!userAccountControl:1.2.840.1135184.108.40.2063:=2) - removes disabled accounts
- (!userAccountControl=65536) - removes accounts with password set to never expire
So the new LDAP query is:
For more ADSI userAccountControl flags go here: http://msdn2.microsoft.com/en-us/library/aa772300.aspx
Credit for this goes to Suman Chakrabarti's blog