I have had a few issues with groups and users and not getting the correct details I want.
Have you created an AD security group that contain the users you want directly or by adding other groups to it? If so, I had a problem and it was the filter (http://www.igniterealtime.org/community/thread/38835). I have made some changes to it;
(&(objectClass=user)(memberOf:1.2.840.1135126.96.36.1991:=CN=XMPP_Users,OU=Applicat ions,OU=Security Groups,OU=CompanyA,DC=Company,DC=local)(!(userAccountControl:1.2.840.113556.1.4 .804:=2))(!(cn=service*)))
The (userAccountControl:1.2.840.1135188.8.131.524:=2) should hide any disabled accounts. I not 100% about .804 or .803 being needed. You need to be careful with matching a fixed value against userAccountControl as password expiry and the like options force a different mask into this.
The (memberOf:1.2.840.1135184.108.40.2061:=CN=XMPP_Users,…) should iterate any goups that are members of XMPP_Users for their users and list them as members of XMPP_Users.
If your baseDN is not broad enough, then the filter wont retreive the details. I found, using the Active Directory Users and Computers mmc and creating saved searches allowed me to better test the connection before applying a filter that locked out the administrators. Also check how it goes changing between CN and OU for the path names. I have seen some filters all (CN=…,CN=…,CN=…,DC=…,DC=…) and others (CN=…,OU=…,OU=…,DC=…,DC=…). I saw a reference to using ADExplorer (sysinternals) and have found it a great help as its pretty good at letting you see what you can use.
As for group filters, I have no really experimented to far.