Let me explain with an example:
Say you have a user DOMAIN\John. If you make him a member of the "Administrators" group in Active Directory, he will have login rights to log in to the Domain Controller and manipulate files on the DC as he wishes. But if he logs in to a workstation in the same domain, he won't have admin rights to the workstation. That is because the Administrators group is really a fake group for local admin rights to the DC only. It doesn't affect other machines on the domain.
In other words, the scope of the group doesn't extend past the DC, so it's use is limited, and you are hitting one of those limitations.