Our account which queries the AD has more right than just read some information, because it is used for other purposes. Since it was not clear what the problem is I used a domain admin for testing - just to be sure it has nothing to do with access rights.
"NetUserGetLocalGroups failed: Access is denied." was exactly our problem.
Regards Wolfgang