You might want to also run some queries to make sure you're not excluding
legitimate users who have the letters "test" in their description like "portal
users John Beltest". Are your "test" users members of any telltale domain
groups, like a group in which you place all your test accounts? If so, you might
consider using a query against memberOf instead of description.