Web interface icon for disabled users is incorrect/missing

We have disabled user accounts located in a separate OU. There are no permissions assigned for general users to list or see the OU or its contents.

When viewing group memberships, these disabled users will appear with normal account icons (no red-circle/slash).  If an elevated user with permissions to view all user properties within the disabled OU views the same group membership, then the red-circle/slash icon does appear.  I have tried creating a custom AD access template to allow permissions to the OU for all users to read the Account Disabled attribute only, but that is insufficient.  What other properties must be included to make this work?