Rob,
I know this is an old post and never really got resolved... but I couldn't find anywhere a descent documentation that clearly tells what place a new domain user needs to be setup in the AD structure to make it 'visible' to the BP user management (not talking about SharePoint security here)..
I've just experienced a strange case (and it's not the first time) where 2 new employees were recently added to AD (1 day apart, over a week ago, so not sync issue). The first employee I had not issue to add in BP User security with the proper domain name & userID (Domain\UserID)... The second user, I could never add it... Talked to our IT guys and they couldn't see any differences between the 2 user setups.. but I knew that something was different.. In the past I experienced that users that are not visible in the 'All Users' group in the pull-down list, won't be able to properly work with BP..
SharePoint security has no problem of finding them in AD (both new employees)... but also I understand that the credentials used to access AD may not be the same (in SP, it's my network ID that is used, in BP it's a service account)...
I'd really appreciate if you could shed a light on this.
Thanks and have a great time.