I’m setting up an OpenFire server for our internal use and in looking to remove disabled AD users from the user list, I found the following post to be the most helpful in getting me to a solution https://community.igniterealtime.org/message/152300#152300.
It pointed to a list of LDAP Search examples here http://www.petri.com/ldap_search_samples_for_windows_2003_and_exchange.htm, however, I think it’s a bit out of date for more recent AD versions.
I looked in ADU&C at the Attributes editor and found two values in our environment for the userAccountControl attribute, x200 for enabled users and x202 for disabled. Since these were in hex and translated to 512 and 514 respectively in decimal I tried those values in the User Filter and came up with success.
So for reference here is the UserFilter I used to grab only active domain user accounts.
(&(objectCategory=person)(objectClass=user)(userAccountControl=512))