So far we've been unable to see a (displayname=*) filter present in our LDAP queries when debugging. However, we did notice that our LDAP query is only displaying 2,000 (of 2,613) groups even after increasing our LDAP query limits on the Splunk side.
ahhh.... good point. Currently, the security group is populated with six users. We don't have a userBaseFilter set, is there anything else that could be masking the users on the Splunk side and preventing the group from being visible?