well there are certainly attributes not listed there. an example i got through google reads:

nss_base_passwd cn=Users,?sub
nss_base_shadow cn=Users,?sub
nss_map_objectclass posixAccount User
nss_map_objectclass shadowAccount User
nss_map_attribute uid sAMAccountName
# nss_map_attribute userPassword msSFUPassword
nss_map_attribute homeDirectory msSFUHomeDirectory
nss_map_objectclass posixGroup Group
nss_map_attribute uniqueMember member
nss_map_attribute cn sAMAccountName
pam_login_attribute sAMAccountName
pam_filter objectclass=user
pam_password ad

so you're not going to be getting that posixGroup mapping at present.

There is actually a logical separation between doing a "getent group" and knowing a user is in a certain group, as it's the user query which says which groups the user is in, as opposed to the whole list of groups being sought. In general that seldom happens. Within the system there you should also be able to do an "id username" to do call the info that the group memberships are going to be used in a comparison

THX so much!!

nss_map_objectclass posixGroup Group this was the line to make it work.
Now when i do a getent group, i can see the group. I will test denying groups to folders right now.

and you thought i'd given up on you ... ;-)

lol groupname works too!