I haven't had time to fully read through your post or do any re-testing, but I did want to point you in the direction of using a UDF that uses the more current LDAP object instead of WINNT object.

GetADUserGroups -
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=198609#Post198609

How to use UDFs -
http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=81943#Post81943

The rest of the UDFs are here -
http://www.kixtart.org/forums/ubbthreads.php?ubb=postlist&Board=7&page=1