This is *not* what you call a defect
From your standpoint, container named "group" should only contain groups and "users" container should only contain accounts.
I do understand what you mean (and tend to share) but from LDAP standpoint, unless to add specific controls, such vision doesn't exist
"groups" is a container, like "users" is and within these containers you can create entries that are either account, group, contact or even OU.
From LDAP standpoint, there is nothing wrong. Looking only at LDAP protocol, each entry can also be container.
If you want such additional control to ensure some consistency, then it would mean that at the time you create container, you associate to it what kind of entry is acceptable.
The point is that based on users requirements and also AD sync constraints, Zentyal team decided to add capability to manage multiple OUs (compared to the unique groups and users we have with Zentyal 2.2) but allowing this without additional features has some side effects (I would not call it, like you do "defect" however):
- you have to think twice when creating entry in order to drop it in the right container (fitting on your own design
- moving entries from one container to another is not yet possible using Zentyal GUI
- still using Zentyal GUI, you can't change LDAP access control to these containers: e.g. if you create list of contacts in specific OU, changing access control to ensure it will not be visible to all is not feasible (again using Zentyal GUI).