@cjackson The reason the login is just username, is because you've specified sAMAccountName. If you want to use email address, change this to UserPrincipleName. Obviously, verify the UPN in your AD box, but that should be the persons email address if your domain it setup correctly.

I dont believe most LDAP query tools support nested group security (its a common issue). Not an excuse, just an observation btw.