I clearly need some educatin' here. I'm very much not an administrator, so bear with me.
"TestWindowsUser is in a domain group that is a member of db_owner and another that is a member of db_dataReader."
I'm lost as to when this happens. I see that he's in two domain groups, but I'm not seeing where those groups are made members of db_owner and db_reader. I see two users from those groups who are assigned those roles... does assigning a user to a role assign every user in that domain group to the same role? That's doesn't seem right.
Apologies if I'm missing the obvious. I've never worked with this stuff before.
ron
-----
a haiku...
NULL is not zero
NULL is not an empty string
NULL is the unknown