by Gun Karagoz.
Thanks Iñaki Arenaza! I found that some of SYSTEM/SERVICE users have $ in username.
It seems I cannot allow $ with site policy, so I need to skip those usernames to sync, is it possible also? I'm not very familiar with LDAP and I'm not the admin of AD, is there way to use some configuration in "User lookup settings" section (to filter out some users)?