I'm trying to play catch-up here. BTW, thanks Howard for looking at this.

As a side-note to anyone trying this from home, or probably more appopriate, from work... This does require the ADsSecurity.dll in order to associate the NT account with a SID.

Does the GetInfoEx have anything to do with this: http://msdn.microsoft.com/library/default.asp?url=/library/en-us/netdir/ad/optimization_using_getinfoex.asp