Without going into too much backstory for Exchange admins who already know why UDGs need to be upgraded to USGs for ACLs on public folder and mailboxes, I was having an "intermittently persistent" issue where UDGs that are members of other USGs are not being automatically upgraded to USGs. Without the automatic upgrade, access to the resources the parent USG has been assigned will not work.
I started Googling to see what I could find. The org-level attribute to control UDG conversion was not set, nor has it ever been in my environment. UDGs are being successfully upgraded by Exchange; it is just nested UDGs that were having a problem. Then I found the reason, and there is actually a KB article for it: 898082.
By design, for performance reasons, when a UDG is a member, whether direct or nested, and the parent group is a USG, Exchange will not convert the UDG to a USG. Only if the parent group, the one actually being assigned to a resource, is a UDG at the time it is added to the resource, Exchange will convert the parent group and enumerate all members for other UDGs to be converted.
This makes sense so Exchange doesn’t enumerate members every time a group is added to a resource to check for member conversions. Since conversion is meant to be a one-time event, performance would be adversely affected if it had to enumerate all members every time just to check for a UDG that happened to added since the last time. So the enumeration only happens if the parent group is a UDG, which implies that the group has never been assigned to an Exchange resource and the one-time conversion can occur.