I have an instance of Crowd 1.4.2, with a connector to a Microsoft Active Directory Server running on Windows 2003 R2 SP 2.
We have many groups in our AD – so many that they're unwieldy to work with all at once. So I created an OU containing only the groups I need. I used this OU as filter by referencing it in my base DN for groups in the connector configurator: ou=Extranet,ou=Groups.

In one way, this works. If I view the list of available groups in Crowd for that directory, it shows just what it should – the 6 groups I care about. But if I bring up a user record and examine their groups, I see ALL the AD groups they're a part of, not just the filtered ones I care about. If I click into such a group, I do get an inspect/edit screen, but with a red warning bar. If I click from that group into a list of its users, I see nothing.

Likewise in Jira, which I integrated with Crowd, I get similar behavior in terms of seeing the additional groups, and being led to belive I can edit/inspect them, then getting warnings and failures.