For SharePoint 2007 our MOSS profile sync uses the an LDAP query that filters which OU Users we dont't require -
ie User filter: (&(objectClass=user)(!Status:=System)(!UserAccountControl:1.2.840.113522.214.171.1243:=2))
This assumes we want everyone except those with and AD attribute of Status=System (the UserAccountConrol setting excludes accounts disabled)
For SharePoint 2010 once you have setup your Sychronization Connection to include one or more OUs from AD, you can then add exclusion rules by clicking to the right of the Syncronization Connection and choosing Edit Connection Filters from the menu.
I didn't read the screen properly and just applied the same filter logic as SharePoint 2007 but after 4 hours of pain not getting the results I wanted, so I read what it said on the screen.
It says "Exclusion Filter for Users" - as such YOU MUST REVERSE YOUR LOGIC from SP2007!!
Thus to achieve the same result above you need:
ie User filter: (Status:=System)(UserAccountControl:Bit On:=2))
I'll read the screen next time - duh!