When you use the Admin UI to create a provisioner file that uses the LDAP Connector against AD, The Admin UI creates the connector with the accountSearchFilter set to only find enabled accounts. The filter also uses objectClass type filters.
Instead it should be checking against sAMAccountType.
accountSearchFilter and accountSynchronizationFilter should be (sAMAccountType=805306368)
groupSearchFilter and groupSynchronizationFilter should be (sAMAccountType=268435456)
This is for two reasons.
1. Most people are using the LDAP Connector against AD to provison, deprovison, and re-enable AD accounts. So, only seeing active accounts does not work for the majority of users.
2. Using the sAMAccountType filters are more efficient in AD. Otherwise, a compound ldap filter is required which is less efficient. This is because computers in AD also have the objectClass user.
The following Microsoft website's Note 1 mentions that it is better to use the sAMAccountType filter to find users.
Please have the defaults generated by the Admin UI generate the sAMAccountType ldap filters.