Thanks for the update.
I would certainly continue to look at the environment.
To give you some more background. You mentioned that your application may be using local users/groups. Remember that we are involved in the name resolution or group enumeration process, but first we need to determine if the user or group is our responsibility.
Because of that you have two things working against you:
a) Express works in Auto Zone, better suited for smaller AD environments
b) Potential duplicates. If there are accounts that are referenced by your app that exist in AD. E.g. you may have a local account called 'jboss' but also an AD user called 'jboss' - express will show all AD users/groups, therefore you may waste cycles.
If there are such naming collisions , you can use the user.ignore or group.ignore files to exclude from us checking.
Again, I appreciate you coming back with info. Unfortunately most people just abandon the thread and we don't know if our assistance helped or not.
Keep at it.