Active Directory user filter does not search nested groups
This Knowledge Base article was written specifically for the Atlassian Server platform. Due to the Functional differences in Atlassian Cloud, the contents of this article cannot be applied to Atlassian Cloud applications.
An Active Directory (AD) user object filter to pull in users from a specific group does not recursively search groups nested under the specified group, even though recursion is enabled. A filter like the following is used:
Crowd uses basic LDAP syntax rules for searching. By default, any searches with memberOf will only check direct attributes, so AD will only return information back to Crowd based on direct attribute checks.
To get a recursive search, or to have AD check relations, extra properties need to be included to the filter. In this case, the string 1.2.840.113522.214.171.1241 will need to be added. According to Microsoft:
The string 1.2.840.1135126.96.36.1991 specifies LDAP_MATCHING_RULE_IN_CHAIN. This applies only to DN attributes. This is an extended match operator that walks the chain of ancestry in objects all the way to the root until it finds a match. This reveals group nesting. It is available only on domain controllers with Windows Server 2003 SP2 or Windows Server 2008 (or above).
For more information, see the following from Technet:
Modify the above filter to include the extended match operator: