I am running a clean install of MOSS 2007 SP2 on Windows Server 2008 R2, all patches/updates etc. have been applied (this was not an upgraded SP2003 server).
I have the following User Filter in place for the import from our Active Directory:
(&(objectCategory=Person)(objectClass=User)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(!(!company=*)))
This should be filtering such that I import only people with the account type of User, which are not disabled, and do not have a blank value listed in Company.
What I get: SOME disabled accounts are imported into the User Profiles and appear in the User Information list, while others are not.
This is happening AFTER 3 or more Full Imports have run since the time the user accounts were disabled in AD. All of the accounts are ‘disabled’ the same way in AD, right-click and choose disable. Looknig at the menu via right-click on the account displays “enable” and looking at the properties shows that the accounts are disabled.
After searching and trying various things I did find one very interesting thing. When the import is run using the domain administrator account rather than my SharePoint service account (which has read access to the AD) then all of the disabled accounts filter properly. When I switch back and do a full import, then the rogue disabled accounts return to Active. It is always the same accounts that do not filter and the same disabled accounts that do filter regardless of the user who runs the import.
There must be some kind of permission thing going on here, and I am still testing but this seems like an odd behavior that may have as its source Active Directory. Updates to follow, if I ever find the final answer.