Pertaining to your default group membership, my comment was just that it seemed a little crazy to apply Administrators to all users, it just doesn't seem like an ideal configuration off-hand. However, if you're just testing, I think you have it under control with that explanation, since it's only people with "JIRA Administrators" in your AD environment. Let's get to your issue then.

jira-users is what is licensing your users in this case (or any group you configure to have USE permissions, best to keep it simple and use a dedicated group for this). To explain this further: Any ACTIVE USERS within the group JIRA-USERS will count towards your JIRA license. Thus, we usually ensure that this group is the group that allows 'access.'

The way you have it set up, you are using Default Group Membership to license users within your application. All users within 'All Users, JIRA Administrators' are able to log into this connector. All of these users are then applied with Access/License (jira-users).

Let's clear up an assumption first. This may be important with your directory setup!!!

1. Logging in, users will attempt each directory (in order)
2. If they are not found in a directory, the service will attempt the next available directory
3. If they are found in a directory, the service will attempt to authenticate them
   1. If they pass, they will log in
   2. If they fail, they will not log in (they will NOT attempt against another directory)

So, there is two workarounds to your issue –  

Using a single directory connector connected to your AD environment

• Disable default group membership in JIRA/Crowd
  • Manually manage the group jira-users
  • Manually manage the group service-desk-customers

Using two directory connectors connected to your AD environment

• Active Directory connector, "All Users, JIRA Administrators"
  • Apply jira-users to license users and grant access
  • Apply jira-developers
  • Apply jira-administrators
• Active Directory connector, "All Users, Employees"
  
  • Apply service-desk-customers

Yeah, and it's watching the AD group called 'Users' and the security group called 'Jira Administrators'. I've got a 10 user license as we test things before expanding out to the rest of the PM team. What would be helpful is letting me know if I need to have JIRA user licenses for every person who asks a question on Service Desk?

... your default group membership applies the jira-users, jira-developers, jira-administrators groups huh. Wow.

In user management -> user directories I have an active directory server configured and it is looking for a user and group DN to authenticate. They then get added to a default group membership: jira-administrators,jira-developers,jira-users Is there a way to point to another AD OU and let 'all active users' have a login which lets them create an issue on the service desk? (using another account because it wouldn't let me comment =( )

How do you currently configure your directory?