I was able to get the group syncing working against AD, however, I was curious how the LDAP searches work.
When I turn on the nested group property and sync a group, it syncs all the nested groups correctly with their users, but I don't really want it to do that -- I just want the user accounts to be placed in the group that I typed into the search box. That way, I don't need to manage permissions for many groups and only need to do it once for the top-most group.
What combination of properties and checkboxes allow me to do that? More specifically, how does "Import new members from all subgroups" work, and is that what I want because that didn't seem to work as expected. It still created Hue groups for the nested ones.