That seemed to work for my groups. Now I see only the groups matching my filter, but I still see 20,000 users rather than the 150 that match my search filter.
(&(objectclass=organizationalPerson)(|(memberOf:1.2.840.113556.1.4.1941:=CN=Open fire Access Group,CN=Users,DC=AD-DOMAIN,DC=local))(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
What’s strange is that I set it to “Do not encrypt this property value” but it gets encrypted anyway. I’m going to just reinstall and use an external database so I have more control over the settings.
the encryption thing is a bug. If you enter it again and check “do not encrupt…” it will save it correctly. regardless, I think its better to use an external DB anyway!