Had a similar problem, and it came down to sAMAccountName having title caps for some (but not all) users in AD. It appears that OnTap searches for secondary groups by using whatever it receives back from "ldap.nssmap.attribute.uid" and looks in the attribute "ldap.nssmap.attribute.memberUid" within group objects. In my AD, this attribute only included all lower case names (so searches with title caps were failing). I changed "ldap.nssmap.attribute.uid" to msSFU30Name which solved my problem. However, you may or may not have this attribute depending on how you expanded your schema. Either way, find an attribute in your user objects that always matches the case of the attribute memberUid in your group objects.