Hi, Matthew. Cache Refresh is, by design, a rather simple tool. It will request LDAP attributes you specify in "Source attributes" list, and will craft a local user entry using them (subject to mapping rules). So if you request "memberOf", you'll get the same list of values you would get with LDAP search for this user, nothing more. For anything more complex than that, there is custom script for CR feature, where you can implement additional actions, inlcuding making additional searches for more group memberships. >Apparently this a thing with AD. Is there anyway to turn use the LDAP_MATCHING_RULE_IN_CHAIN AD rule? Interesting. I'll try to test it and let you know. Overall, I think we could make use of more flexibility in cofiguring what LDAP queries CR uses when searching for users.

I've looked into it briefly, and I'm not sure this matching rule is something that might help. In any case, I guess if you'll be able to find an LDAP filter which produces result you need, you may try to add it to "Custom LDAP filter" on the page (everything added there will be attached to auto-generated filter via `&` operator). Or you can write a custom script which will do additional searches against your AD. Not sure I can offer a better solution at the moment.

Thanks. I'm on leave at the moment, but will take a look when I get back into the office next Monday and will report back. :)