For large enterprises, the load on domain controllers can be heavy when searching through large OUs. Could you create a user source that would ask for the role(s) required to log in, then cache all the users with that role(s)? Then a search for all users would not be required. I assume this might increase the work for the Ignition server and decrease the work for the DC... Choosing this user source would be an implementation decision for the SI.