The active directory plugin is able to resolve nested groups for:

• Security groups: For this, you can use Token-Groups group lookup strategy
• Distribution groups: Both, nested distribution and security groups can be resolved by using the recursive lookup strategy.

The problem is when we have nested groups with a different nature, something like:

• Security Group A -> Distribution Group A -> Distribution Group B

In the above example, the plugin will only discover Security Group A with both Token-Groups and Recursive Lookup Strategy.

On the other hand in the example below, the plugin will be able to discover: Security Group A, Security Group B and Security Group C with the Token-Group strategy and ALL of them with the recursive strategy (since it considers both security and distribution)

• Distribution Group A -> Distribution Group B -> Distribution Group C
• Security Group A -> Security Group B -> Security Group C

I think we should create a new Group Lookup Strategy called "Recursive Full" which will consider all the groups. The current recursive should be called something like "Recursive light"