Query for disabled users in an AD LDS environment

Question

I'm running into an odd issue and can't find any information. I am trying to figure out why queries to return disabled users aren't working and return a value of 0 entries.

The following queries work well in Active Directory, but do not wrk for AD LDS instances:

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -Filter "msDS-UserAccountDisabled -eq '$true'"

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -Filter "Enabled -eq '$false'"

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -LDAPFilter "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -LDAPFilter "(&(objectCategory=person)(objectClass=user)(msDS-UserAccountDisabled=true))"

The only queries that worked are as follows:

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -Filter * -Properties * | Where-Object "msDS-UserAccountDisabled" -EQ $true

Get-ADUser -Server 'ADLDS' -SearchBase "Path" -Filter * -Properties * | Where-Object Enabled -EQ $false

Is there a reason the filters on the query side aren't working and why can I only filter on the data after retrieving it? This is a much slower method to get the desired information. Is this a limitation of AD LDS or am I making a mistake with the query?

I am aware of the Search-ADAccount CMDLET. This add further into the confusion as it states it looks at the Enabled property for a false value. But as seen in the queries above, using the Get-ADUser with the filter of Enabled equal false doesn't work. In fact, the error message that it throws is either syntax error, or system.string not supported for extended attribute Enabled.