On your domain object, you need to assign the querying user the "Read MemberOf" right to User objects.

  • Open AD U&C browse to your domain object
  • Right click and go to properties
  • Security tab, click Advanced
  • Click Add
  • Enter the user name to add
  • Click the Properties tab
  • In 'Apply Onto' change the type to User
  • Click the "Read MemberOf" checkbox
  • OK out of there

That should set it up so that the specified account can read the group memberships of all User accounts in the domain.