Metaprofiles that are assigned to a group are not being set on members of that group.
If assigned directly to a User, it works fine.
The Metaprofile service runs on the Terminal Server as Local System. This means it uses the machines AD account to read User and Group information from Active Directory. If you have a locked down AD, the Machine account does not have sufficient permissions to read the AD objects correctly.
Use the Active Directory Delegate Control wizard to grant the missing permissions to the AD computer object that represents the Terminal Server(s) having the problem.
In the example above, if your Terminal Server is called Terminal1 you'd delegate Read MemberOf permissions so that Terminal1 could read the Groupmembership details for any account in AD.
By default, all objects in Active Directory have read permissions on other objects. In this environment there may be some restrictions in place
The procedure required is:
Right-click on the domain object in Active Directory users and Computers and click "Delegate Control...".
Click "Next" then "Add..." and click "Object Types". Click the Computers checkbox then click OK and type the name of the MetaProfiles Server.
Click "Check Names" and then OK once the name is resolved.
Click "Create a custom task to delegate" then select "Only the following objects in the folder", and check "User objects" and click Next.
Check "Property specific" and scroll down to "Read Member of" and check the box next to it. Click OK and Next.