this may be my design. lets say for example you restrict your roster groups. you may have a member that needs access to both groups…therefore you would want them listed in each roster group. I usually address this issue by creating dedicated IM groups. here is an example on I do this in AD How to Setup Authentication Groups with LDAP/AD