I've managed to synchronize with LDAP using a filter to discard the CNs with the '#' character and also the disabled users: (&(objectClass=Person)(!(cn=*#*))(!(loginDisabled=TRUE))).
I think it can work in sub-contexts as well, as I have seen users that exist in 2 contexts are disabled in one of them, but I have to test.