Groups which have yet-to-be-provisioned groups as members require more than one invocation of ldappc to be correctly provisioned.

Provisioning Active Directory will likely require ldappc to first provision all groups without any members, then once all groups exist, provision memberships. I think that this methodology is safer than running ldappc multiple times.

A potential drawback to provisioning skeleton groups before memberships is that during an ldappc run groups might be seen as 'incorrect' to consuming applications because memberships haven't been provisioned yet. To ameliorate confusion we might provision the member attribute as "TBD" or somesuch, depending on what the target ldap schema allows.