It needs permission similar to the pre-windows 2000 compatabible access group, so ability to read user attributes, and groups and nested groups. In some environments even a domain admin might not have the necessary perms to perform this operation so it might not be a good way to test. Pre-Windows 2000 should at least get you working.
I would try looking up some ldap permissions...if I remember I think when I was setting up a Citrix Netscaler there was an article on the permissions needed for nested group extraction that showed you the exact permissions to set in AD that should be applicable here as well.