Excluding Disabled User Accounts from Profile Synchronization in SharePoint 2010

Filtering profile imports is a much more powerful experience in SharePoint 2010, due in large part to the much more generic and extensible profile import mechanism in place. Those familiar with https://support.microsoft.com/default.aspx?scid=kb;en-us;827754 know that in the past, you had to construct an LDAP filter that excluded accounts based on the value of the userAccountControl attribute in Active Directory. In SharePoint 2010, the exact same thing is required, but instead of constructing an LDAP filter, you use the Connection Filtering support baked in.

The magic setting:

For certain attribute fields, you are able to perform a bitwise comparison. What we're essentially saying (in pseudo-code) is:

if ((userAccountControl & 2) == 2) { skipUser(); }

Or, in English, if the 'Account Disabled' flag is set on the userAccountControl attribute, exclude the object. You can do the opposite - that is, only import when the flag isn't set, by using the 'Bit off equals' operator. What that does is changes the above pseudo-code to:

if ((userAccountControl & 2) != 2) { skipUser(); }

What makes this new connection filtering mechanism powerful is that you can layer these exclusions, choose to require multiples (if this AND that OR this then exclude), which allows administrators to impose some signifigant logic on what gets imported when and why without writing any code. This is a Good Thing (tm), and opens up import scenarios from non-directory or LDAP based repositories down the line.