Rule based on Group "Domain Users" does not match for LDAP users