I have a Windows 2008 domain that I am querying via ldapsearch and if I use a domain administrator account I get all the users I would expect, but if I use the service account I created for this purpose I miss random objects.
For example:
#> ldapsearch -LLL -H ldap://domain-controller.my-domain.com:389 -b 'dc=MY-DOMAIN,dc=COM' -D 'MY-DOMAIN\administrator' -W '(&(objectClass=Person)(sAMAccountName=*)(memberof=cn=StashTeam,ou=MyTeams,ou=MyDomainUsers,dc=MY-DOMAIN,dc=COM)(!(userAccountControl=514)))' | grep cn:
I get a list of:
cn: Homer Simpson
cn: Marge Simpson
cn: Bart Simpson
cn: Lisa Simpson
cn: Maggie Simpson
However if I run (using my Service Account):
#> ldapsearch -LLL -H ldap://domain-controller.my-domain.com:389 -b 'dc=MY-DOMAIN,dc=COM' -D 'MY-DOMAIN\ServiceUser' -W '(&(objectClass=Person)(sAMAccountName=*)(memberof=cn=StashTeam,ou=MyTeams,ou=MyDomainUsers,dc=MY-DOMAIN,dc=COM)(!(userAccountControl=514)))' | grep cn:
I get a list like:
cn: Homer Simpson
cn: Lisa Simpson
cn: Maggie Simpson
This is probably a hidden permissions issue, since AD can stash accounts in odd places, and permissions can be taken away if you're not careful.
The first troubleshooting step I'd do is see if there is any correlations in location in the accounts that are getting missed. That may point to a location where the rights are subtly different.
If they don't correlate to specific locations, the next step is to look at the permissions on the individual objects to determine if there are differences that can get in the way.