Users should be automatically added to the roles entered in the DefaultUserRoles setting in the web.config. As for you proposed solution, it might work, but it is probably not what I would settle for (taking the users from the AD, but using the ASP.NET roles). Looking at the results of your tests, things do look strange. You current user is not recognized as a member of the Domain Admins role, which should not be the case if I understand everything correctly. It seems like he is not a member of any of the "important" roles, but he still has 26 roles attached to it - it would be nice if you could compare the GUIDs of his roles to the IDs of the roles in the aspnet_roles table, to see exactly which roles are recognized.