Native Active Directory limitations.
Active Directory requires that all operations which are processed must be logged in the Security Event Viewer log for auditing purposes. If an event cannot be logged, then it is denied.
There is a default cache of 17000 entries which are held in active memory, waiting to be written to the Security log. If the operation exceeds this amount, the operation may fill the audit log cache more quickly than the Domain Controller can clear it. This means that some operations are denied, and therefore Group membership is not as expected.
On the Active Directory Domain Controllers, this issue will show in the Security logs the following error message:
Event ID: 2866
Task Category: Security
Computer: <domain controller>
While logging audit events for the following object, the directory service reached the maximum number of audit events that could be cached in memory at any given time. As a result of reaching this limit, the operation was aborted.
Maximum number of audit events that can be cached: 17000