I've run into a similar situation when I was migrating a NT4 domain to AD, it could be a problem called "token bloat". If you google it you'll find some nice references, but I'd tell you to start thinking in redesign your group strategy.
~ NEW: CounterSpy Enterprise: Centralized Antispyware - #1 in eWEEK Test! ~
~ <http://www.sunbelt-software.com/product.cfm?id=400> ~
