Microsoft Knowledge Base Article 331951 contains the following summary:
Some applications have features that read the
token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account
objects in the Microsoft Active Directory directory service.
Some Win32 functions make it easier to
read the TGGAU
attribute.
Applications that
read this attribute or that call an API (referred to as a function in the
rest of this article) that
reads this
attribute do not succeed if the calling security context does not have access to the
attribute.
By default,
access to the TGGAU attribute is determined by the
Permission Compatibility
decision (made when the domain was created during the
DCPromo.exe process).
The default permission compatibility for new Windows Server 2003 domains does not grant broad access to the TGGAU attribute.
Access
to
read the TGGAU attribute can be granted as
required to the new
Windows
Authorization Access
(WAA) group in Windows Server 2003.