Issue: An Active Directory (AD) user object filter that retrieves users from a specified group does not recursively search for groups nested under the specified group, even if recursion is enabled. A filter like the following is used:
By default, all searches with memberOf check only direct attributes, so AD returns only information to Kadeck based on direct attribute checks.
To get a recursive search, or to have AD check relations, extra properties need to be included to the filter. In this case, the string 1.2.840.113522.214.171.1241 will need to be added. Learn more here.
Modify the above filter to include the extended match operator:
Note: the group names in the above filter cannot be wildcards. If you need to specify multiple groups, you can configure them as follows: