[Samba] negative ldap filter on AD

[me at electronico.nc]

Hi all,

Samba 4.1 as AD/DC
local postfix & dovecot hooked to AD via ldap queries (special user 
created in AD for that purpose).

Everything works as expected, but :

I'd like inactive users in AD not to be able to read/send emails 
(understandable I think).
User status seems (sorry I'm AD newbie) to be controlled by the 
'userAccountControl' field in AD.

Created 2 test users in AD : test1 test2
user test1 has been disabled from WRAT:
> ldapsearch -LLL -H ldap://localhost:389 -b 'ou=users,dc=domain,dc=lan' 
> -D 'DOMAIN\ldap' -w 'My_secret_1' 
> '(&(objectcategory=person)(cn=*)(userAccountControl=66048))' mail 
> userAccountControl
->
> mail: test2 at domain.lan
> userAccountControl: 66048
test2 account is well set to 'disabled' and it returns 66048 value (for 
a never-expire password)

> ldapsearch -LLL -H ldap://localhost:389 -b 'ou=users,dc=domain,dc=lan' 
> -D 'DOMAIN\ldap' -w 'My_secret_1' 
> '(&(objectcategory=person)(cn=*)(userAccountControl=66050))' mail 
> userAccountControl
->
> mail: test1 at domain.lan
> userAccountControl: 66050
test1 account is well set to 'enabled' and it returns 66050 value (for a 
never-expire password)

I'd like to setup the LDAP filter in Dovecot to exclude (at least) 66048 
value.
Original filter (query by ldapsearch too) is :
(&(objectClass=person)(cn=%n)(mail=*))

Tried many syntax (via ldapsearch) but I've been unable to apply a 
negative condition like:
(&(objectClass=person)(cn=%n)(mail=*)(!userAccountControl=66050))
or
(&(objectClass=person)(cn=%n)(mail=*)(userAccountControl!=66050))
It always returns :
ldap_search_ext: Bad search filter (-7)

I've 'googled' and I don't understand why the negative (!) filter is not 
understood by ldapsearch against AD.

Thanks in advance for your time & lights.
Nicolas