This is the standard filter that CM will apply even if you don't have defined any custom LDAP filter.
Standard default LDAP filter for users (&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
If you would want to add the criteria that you list you would do this.
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(email=*)(|(givenName=test*)(givenName=serv*)))
To explain the part some I loaded the filter into a LDAP browser to get a graphical depiction of it.
Would you mind to rephrase what you want as the result of the filter? In the event that I might have misread what you wrote from the start.
Then your filter should be this.
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.113556.1.4.803:=2))(email=*)(|(!(givenName=SVC*))(!(givenName=health*))))
In the LDAP builder it would look like this.
The difference is that you need to negate the given name part to filter them out. For email that's not needed as you're filtering on that this field has a value, any user with no email address should be filtered out.
To be clear the filter that you have built would include the users that the filter match. If that is not what you intend the filter needs to be modified.
If the OU is visible in the search path you cannot exclude it as such from the synchronous with a LDAP filter as CM do not support filtering on members of a OU. What you can do is filter on users that belongs to a security group and without to much hassle you should be able to write a PowerShell script that looks for users in the OU and adds them into the group. With that you should effectively have filtered out users in the OU.
You can't filter the OU, instead of syncing from full domain, make multiple LDAP directory and sync each OU. But remember that you can have only 20 LDAP directories.
