It seem that the external group mapping (NT Domain Group to a ACS group) work only with the immediate NT group where the users are defined. So if a group A(let say user toto is defined directly in NT domain group A) is then defined in another more general group (let say group A defined in group B), does the ACS radius server will be able to map the user toto against the general group B ? From my test - external mapping will only work against the immediate group, group A in my example.
Re: ACS secure mapping user against NT domain Group
The Database Group Mapping feature in the External User Databases section enables you to associate unknown users with a CiscoSecure ACS group for assigning authorization profiles. For external user databases from which CiscoSecure ACS can derive group information, you can associate the group memberships defined for the users in the external user database to specific CiscoSecure ACS groups