Nested group search is a new feature added to Windows AD server when the LDAP server’s settings have group-member-check set to user-attr. After authentication succeeds, fnbamd gets groups from user attributes and repeats LDAP queries on the groups until reaches the top layer.