LDAP User Filter

LDAP filters are generally only applicable to attributes that are in the user entries.

If you want to include attributes that are part of the DN (the path to entries), you need to use extensible filters such as:

(&(objectCategory=person)(|(ou:dn:=OU1)(ou:dn:=OU2)))

Note that while this is standard LDAP filters, not all servers support this.

Active Directory doesn't support filters based on OU. In this instance, it's an "extensible match filter" that some LDAP implementations support, but not all (including AD). More info here.

By the way, you can't do a wildcard search on the distinguishedName, if you're tempted to try.

To be honest, this is why it's best to have all your "person" user accounts in one OU (maybe subdivided further down), groups in another, etc. In your case, if you can, it might be a good idea to move your "synching" account OUs under a new OU. If you have a enterprise environment, you will want to be careful there are no dependencies on the OU structure before making such a change. Or that you can identify any such dependencies and fix them before or at the time of making the change.

Otherwise, you'll need to make your searchbase the root of the domain. If you have other user account attributes you can use to search, such as department names or similar, that will work. If it's employee accounts, do they all have a common field that's populated, such as "employeeID" or "streetAddress" or something? Or do the accounts you want to exclude have a specific name format (such as all the service accounts starting with "SVC")? By combining things like that, you can generally get it pretty good.

Finally, for searching normal user accounts, a more efficient basic query is:

(samAccountType=805306368)

Your query of (objectCategory=person) returns User and Contact objects. The usual way to scope it property is (&(objectClass=user)(objectCategory=person)), but the two clauses makes it less efficient than my recommendation (which is using an indexed attribute as well).