When performing searches in AD, Password Manager leverages from the ‘Ambiguous Name Resolution’ (ANR) ldap filter help identify objects.
While you may be able to limit certain attributes in search, the ANR ldap filter will include a few additional attributes to the search by default. I.e.: ‘Physical-Delivery-Office-Name’ (Office) and ‘Proxy-Addresses’.
For a full list of all the attributes that are queried please refer to the following TechNet article:
This is by design. An enhancement request (TF00128148) has been created detailing the feature: “Ability to enable/disable ANR ldap filter from searches (toggle under: General Settings > Search and Logon Options)”.
1) Launch ADSI Edit and open the AD Schema;
2) Locate the attribute you’d like to exclude from the ANR filter;
3) On its ‘Properties’ pane, uncheck the option: ‘Ambiguous Name Resolution (ANR)’;
4) Restart IIS.
The product team will evaluate the request and this feature may become available on a future release of the product.
Please refer to this article for updates or contact support referencing the Enhancement Request ID: TF00128148.