If these are global groups and you are in a AD domain then:
1. The group change needs to replicate to the DCs and to the global catalog (GC) servers. You do have global catalogs right?
2. After replication the user must logon again to have the global groups attached to the user's security token. The GC is responsible for performing this global group attachment to the users security token from what I remember.
See: http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Number=62076
http://www.kixtart.org/ubbthreads/showflat.php?Cat=&Number=62086
After you have deleted the Tokencache and have rerun your script using ENUMGROUP, what is in the Tokencache?
