Allow backend groups to point to AD containers or OUs
When creating a backend group in UTM against Active Directory, you cannot specify an OU or Container for membership. In eDir backend groups, you can point it at an OU and everything under that resolves to the group. The same is not true for AD; the user does not resolve as a member of the group if backend membership is limited to an OU, it only works when pointed to an actual group object.
I suggest mirroring the features from eDir group processing in AD group processing, and allowing backend group membership to be determined by OU or Container.