Hi Gun,
you can use an LDAP filter to only get a particular set of users. You have to specify what properties the users you are interested in must have. For example, let's say the users you are interested in actual user accounts (i.e, users, not contacts or computer accounts). That means that the users you are interested in must have the value "person" for the attribute "objectCategory" AND the value "user" for the "objectClass" attribute (see the page below for additional details on this).
Let's say you also want to limit those users to those whose user account names (what Windows calls the sAMAccountName) DON'T start with 'SYSTEM'. That means that the sAMAccount attribute should not have the value "SYSTEM" ( is the wildcard for 'anything else can go here').
Putting it all together, it means you want to have a specific value for the first attribute (objectCategory) AND a specific value for the second attribute (objectClass) AND NOT having a specific value for the third attribute (sAMAccountNamE). LDAP filters use prefix notation, so any AND, OR, NOT etc conditions must be specified before the values they apply to. LDAP filters use '&' for AND and '!' for NOT, so you could use a filter like this one:
(&(objectCategory=person)(objectClass=user)(!(sAMAccountName=SYSTEM*)))
The same filter with some extra white space so you can see the structure would be:
(&
(objectCategory=person)
(objectClass=user)
(!
(sAMAccountName=SYSTEM*)
)
)
You can have a look at this page for some additional details and examples: https://social.technet.microsoft.com/wiki/contents/articles/5392.active-directory-ldap-syntax-filters.aspx
Saludos.
Iñaki.