Eu não encontrei uma confirmação firme disso, além de observá-lo por mim mesmo.
A solução é evitar o uso de Usuários do Domínio para atribuir permissões, usando uma OU diferente de contêiner.
Atualização 22/08/17:
Encontrei confirmação independente do comportamento, afirmando que:
Most methods do not reveal membership in the "primary" group. For most users, the "primary" group should be "Domain Users". Specifically, the memberOf attribute of user objects, and the member attribute of group objects, never reveals "primary" group membership. In most domains, the member attribute of the "Domain Users" group is empty, and it is safe to assume that all users belong to this group. If you need to query for all users that have "Domain Users" designated as their "primary", search for all users whose primaryGroupID attribute is 513. The primaryGroupToken attribute of the group "Domain Users" is the same integer, 513. The LDAP syntax filter could be: (primaryGroupID=513) Or, to find all direct members of "Domain Users", plus all users that have this group designated as their "primary": (|(memberOf=cn=Domain Users,cn=Users,dc=MyDomain,dc=com)(primaryGroupID=513)) To find all users that have some other group designated as their "primary", the filter could be: (&(objectCategory=person)(objectClass=user)(!primaryGroupID=513))
Fonte aqui: link