Microsoft Knowledge Base Article 331951 contains the following summary:
Some applications have features that read the
token-groups-global-and-universal (TGGAU) attribute on user account objects or on computer account
objects in the Microsoft Active Directory directory service.
Some Win32 functions make it easier to
read the TGGAU
read this attribute or that call an API (referred to as a function in the
rest of this article) that
attribute do not succeed if the calling security context does not have access to the
By default, access to the TGGAU attribute is determined by the Permission Compatibility decision (made when the domain was created during the DCPromo.exe process). The default permission compatibility for new Windows Server 2003 domains does not grant broad access to the TGGAU attribute. Access to read the TGGAU attribute can be granted as required to the new Windows Authorization Access (WAA) group in Windows Server 2003.