After Update to UCS 5 the users (seem) to have no memberOf attribute attached anymore
UCS 5 comming from UCS 4 with samba ad
Verify if group “Pre-Windows 2000 Compatible Access” has a security principal attached:
root@dc0:~# samba-tool group listmembers "Pre-Windows 2000 Compatible Access" S-1-5-11
The default looks like above. If there is no security principal attached you need to add one.
root@dc0:~# samba-tool group addmembers "Pre-Windows 2000 Compatible Access" --member-dn="CN=S-1-5-11,CN=ForeignSecurityPrincipals,$(ucr get samba4/ldap/base)"
The default is AUTHENTICATED_USERS (S-1-5-11) but maybe you want to set ENTERPRISE_DOMAIN_CONTROLLERS (S-1-5-9) as this is not so open and should be enough for univention-s4search and within a big usage scope.
The workaround against printing nightmare in windows AD was removing authenticated users from the group.