AD Security Group Sync should be based on User Guid or SID not on Distinguished name
If you are using a cmdb synched AD User Group for Portal Group mapping, Portal Admin Settings … and someone else changed the Org Unit of this Group in the ad the Cireson Cache Builder won't find the Group anymore and so till to the next scsm ad sync the users of this Group cannot see their tickets, have no Rights … and so on. In big Directorys it's not really possible to run the ad sync every Minute. Cause of security policys it whould be also necessary to use user Groups from other trusted Domains in all portal settings not only where the Portal is running. 
