While groups are the usual ways of giving access to resources in an environment, another less-known but equally important Active Directory (AD) feature, Primary Group, can also give access to resources.
Primary Group is a mechanism that Microsoft created to support legacy UNIX applications which store group memberships differently than Windows.
As such, being a member of a group or having a Primary Group set for this group works exactly in the same way in the AD.
Microsoft AD management software knows of this feature, but this is not the case for all external monitoring tools.
Therefore, using Primary Group is at least considered a bad practice, at worst a security risk to address.
Reset all user primaryGroupId attributes to a safe value.