Ensure that the NETWORK SERVICE account has "Read Member of" permissions to the user object you are testing with e.g. Colin Smith.
1. Open Active Directory User and Computers. (dsa.msc).
2. Click View, then Advanced Features:
3. Locate a problem user and open their Properties.
4. Click the Security tab, Advanced button, then the Effective Permissions tab.
5. Click the Select button and type the NETWORK SERVICE account. Click OK.
6. Locate the permission Read Member of and confirm that the permission is present:
To apply the permission change to all users in an OU.
7. Right click the OU and choose Properties.
8. Click the Security tab, then click the Advanced button.
9. Click Add and type NETWORK SERVICE. Click OK.
10. Click the Properties tab and on the Apply to: drop down list choose Descendant User objects:
11. Locate the permission Read Member of and tick the Allow check box:
12. Click OK until you return to Active Directory Users & Computers.
13. Repeat steps 1 to 5 above to confirm that NETWORK SERVICE now has the permission "Read Member of".Note: In some environments this change may not take affect straight away until the changes have been replicated to the Global Catalog server.