AD user groups assignments can fail for a few reasons. The basic ones are that the server can't contact the domain controller or the user isn't a member of the AD group specified in the Afaria user group. Peter's mention of the AssignmentsUserName is another. If this field is blank or if the format doesn't match the attribute specified on the Server > Configuration \ Security page then we may not be able to match it. In SP5 we have much better handling of this and are able to correct the format to match the attribute in most cases.
If you're "Server Address" field on the Security config page is just a DNS or IP without a port, I would suggest trying to add the Global Catalog port (":3268") and see if the behaviour is any different. (Note: You can only use GC with the AD authentication option, not NT or LDAP)
Otherwise, clarifying the structure of your domain would be useful.
Are you using a single domain structure or are there children domains?
Is your search root against the root domain or the children?
Thanks,
Keith Nunn
SAP Active Global Support
SAP Canada