We had same issue after changing ownership of the MQ Domain service account. After removing/adding the same AD groups, everything worked. I think the error is not exactly related to read the group membership, but finding the account in the correct groups.