I have configured my Sync, created my filters and restricted the OUs that the Sync should be pulling AD accounts from. Right now I have the following restrictions.
OR UserAccountControl Bit onequals 2
OR UserAccountControl Bit on equals 17
OR UserAccountControl Bit on equals 24
These exclussions are supposed to filter out Disabled accounts, Password never expires, and Password is Expired accounts
I have also restricted the OUs that it should even be looking in. One catch is, all thise was done AFTER it was already "incorrectly" setup. Originally it was pulling from ALL OUs and there were no restrictions/exclusions at all. There were over 22,000 or so AD accounts and My Sites created, a lot of them were for generic accounts and service accounts, disabled accounts, etc.
I have since created the above restrictions, and for some reason I still have many service accounts being sync'd. One in particular is my sharepoint farm account, which is in an excluded OU AND has the PW Never Expires bit set, so it should be excluded (twice). I have been working on this for a week now, trying to get it resolved. I have ran multiple full syncs.
Any ideas?