I clearly need some educatin' here. I'm very much not an administrator, so bear with me.

"TestWindowsUser is in a domain group that is a member of db_owner and another that is a member of db_dataReader."

I'm lost as to when this happens. I see that he's in two domain groups, but I'm not seeing where those groups are made members of db_owner and db_reader. I see two users from those groups who are assigned those roles... does assigning a user to a role assign every user in that domain group to the same role? That's doesn't seem right.

Apologies if I'm missing the obvious. I've never worked with this stuff before.

ron