diff --git a/changelog/unreleased/fix-hide-disabled-users.md b/changelog/unreleased/fix-hide-disabled-users.md
new file mode 100644
index 0000000000..cb4d23500f
--- /dev/null
+++ b/changelog/unreleased/fix-hide-disabled-users.md
@@ -0,0 +1,8 @@
+Bugfix: Don't return disabled users in GetUser call
+
+We fixed a bug where it was still possible to lookup a disabled User if
+the user's ID was known.
+
+https://github.com/cs3org/reva/pull/4427
+https://github.com/cs3org/reva/pull/4426
+https://github.com/owncloud/ocis/issues/7962
diff --git a/pkg/user/manager/ldap/ldap.go b/pkg/user/manager/ldap/ldap.go
index 6b8eeb66cd..a996dbee2d 100644
--- a/pkg/user/manager/ldap/ldap.go
+++ b/pkg/user/manager/ldap/ldap.go
@@ -116,6 +116,10 @@ func (m *manager) GetUser(ctx context.Context, uid *userpb.UserId, skipFetchingG
 		return nil, err
 	}
 
+	if m.c.LDAPIdentity.IsLDAPUserInDisabledGroup(log, m.ldapClient, userEntry) {
+		return nil, errtypes.NotFound("user is locally disabled")
+	}
+
 	if skipFetchingGroups {
 		return u, nil
 	}
diff --git a/pkg/utils/ldap/identity.go b/pkg/utils/ldap/identity.go
index f438d33203..0a9af35c18 100644
--- a/pkg/utils/ldap/identity.go
+++ b/pkg/utils/ldap/identity.go
@@ -503,11 +503,12 @@ func (i *Identity) getUserFilter(uid string) (string, error) {
 		escapedUUID = ldap.EscapeFilter(uid)
 	}
 
-	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s))",
+	return fmt.Sprintf("(&%s(objectclass=%s)(%s=%s)%s)",
 		i.User.Filter,
 		i.User.Objectclass,
 		i.User.Schema.ID,
 		escapedUUID,
+		i.disabledFilter(),
 	), nil
 }