10.5.2 PDC not resolving groups for WIN clients

All, I'm running a PDC on a 10.5.2 OD. I'm having trouble getting groups to map correctly. On the PDC I can run 'net groupmap list' and it returns what looks to be the correct list of groups and mappings. Here's a snip ... net groupmap list Domain Computers (S-1-5-21-4256200450-1321934421-1368644343-515) -> domaincomputers Domain Admins (S-1-5-21-4256200450-1321934421-1368644343-512) -> domainadmins Domain Users (S-1-5-21-4256200450-1321934421-1368644343-513) -> domainusers ard_admin (S-1-5-21-4256200450-1321934421-1368644343-3079) -> ard_admin ard_interact (S-1-5-21-4256200450-1321934421-1368644343-3077) -> ard_interact ard_manage (S-1-5-21-4256200450-1321934421-1368644343-3075) -> ard_manage ard_reports (S-1-5-21-4256200450-1321934421-1368644343-3085) -> ard_reports bridges (S-1-5-21-4256200450-1321934421-1368644343-3051) -> bridges However on a bound Windows client if I run 'net group /domain' it returns ' There are no entries in the list.' 'net user /domain' correctly returns all users in the domain. And a bit more strange ... users that are part of Domain Admins in the OD *do* resolve as Windows administrators on the bound boxes, but 'HEALTH\Domain Admins' cannot be added to the security ACL's of a folder. Am I missing a switch somewhere? As always, thanks in advance. peet