LDAP Admin Filter not working

I have created an ActiveDirectory Auth source, which works completely fine for copying the normal user accounts, but not for the Admin checkmark.

Both the UserFilter and the AdminFilter are exactly the same, just the name of the group is different. One works, the other doesnt.

(&(objectCategory=Person)(memberOf=CN=Gitea,CN=Users,DC=some,DC=rz)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

(&(objectCategory=Person)(memberOf=CN=GiteaAdmin,CN=Users,DC=some,DC=rz)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))

Both groups exist, I got users in the user, I got users in the admin and i got users in the admin and user group.

Whatever I do, none of the users gets marked as an admin. If I edit someone and make him an admin, on next resync he is a normal user again.
What am I doing wrong?

Version 1.11.2 (and 1.9.6 as well).

I have the very same issue with AD.
Version: 1.9.6
User filter works fine, i do recognize a membership of the user - and it does work.
The same filter applied to admin filter just a different group name - no chance.
I’ve set logging to debug level, but there is the log file about testing admin filter (user filter is logged, it helped me to see some other problem i had with my filter before).
I also tried to use simple filter as adminf filter (just something like (memberof=dn_of_the_group)) as in the example in the documentation, but this also does not work.
I use security global groups.
Both filters works fine in ldp search tool - if is substitute “%s” with the current (logged) user.

I was able to get our LDAP BindDN working with a similar setup that you are showing for regular users… however for the Admin filter I do not have the full query… just the additional filter to add…
IE:
User filter:
(&(objectCategory=Person)(memberof=CN=Gitea, OU=Users, OU=some, OU=group, DC=region, DC=rz)(sAMAccountName=%s)(!(UserAccountControl:1.2.840.113556.1.4.803:=2)))
Admin filter:
(memberof=CN=Gitea Cloud Team, OU=Security Groups, DC=region, DC=rz)

Where we have a list of users that are pulled from a “Gitea” group that resides in the Users/some/group/region.rz structure… and then a list of users that are considered “admins” that have been added to a security group that we setup on the AD side(and assigned to certain users from the first query).
I think where yours might be getting mixed up is the additional parts of the admin filter query… I believe what is happening on the Gitea side is that to generate the list of Admin users, it is basically concatenating the Admin filter onto the original users LDAP query… NOT making an entire separate LDAP query to generate a list and then comparing the two lists(which is how you have it currently setup as)…

Also just for reference running 1.11.4 here…