As part of my normal design for SharePoint I set up groups for the various roles in a web site. I then set up the same group names in AD – People are added and removed from the AD groups, the process for modifying security roles in SharePoint is built into the Governance policy, and everything is Happy days.
Had an incident recently where I’d set the groups up in SP and the Sys Admin had set the groups up in AD with the members. I then removed all of the named users that were in there and suddenly started to see some odd behaviour with my test user – essentially the access would vary between Partial access (where the user could see a page without a theme applied – similar to when they do not have access to the "Style Resource Readers" group in a publishing site), and no access at all.
Turns out that SharePoint does not like using Universal Groups when you add an AD Universal Group to the SP Group. When you change them to Global groups, everything works fine. I’d never set up groups in AD that weren’t Global groups (this was years ago) – more recently, I guess everyone who’d created them for me had them nested correctly 🙂 Here’s a good blog article from a ‘softie which has some great technet links – http://hermansberghem.blogspot.com/2008/04/windows-security-groups-vs-sharepoint.html.