I've posted a beta of the 01.00.04.21909 release of the provider here.

RELEASE NOTES:

This is the third release of the Active Directory Authentication Provider since being separated from the DNN Core code.

The provider requires Full Trust in order to operate.

If you currently have a 01.00.04 beta version installed you'll have to either uninstall it and install this version or after you install this version you'll have to manually copy the .dll into your bin\Providers folder (the package installer doesn't copy the .dll if the version is the same in the .dnn file).

Changes/Fixes for this release:
Same as in this post (http://www.dotnetnuke.com/Community/Forums/tabid/795/forumid/89/threadid/235377/scope/posts/Default.aspx
Plus:
ACD-6960 - Auth Providers: Active Directory 01.00.02 Boggs Down Server in DNN 4.8

I've locked the other beta post so if you had a question that was in there that I haven't answered ping me in this thread.

Wait, you can sync roles now when it wasn't working in an earlier beta? Even though the changes to this beta were related directly to the synchronization code it was just a fine tuning of the code. In the previous versions the code attempted to remove the user from every DNN/AD related role (whether the user belonged to it or not) and then re-add them to the roles they belonged to. If there were a lot of DNN/AD related roles this caused a lot of unnecessary calls to the database and slowed things down immensely. With this version it only deletes the user from DNN Roles when the user no longer belongs to the AD Group and only adds a user to a DNN Role when he doesn't already belong to it but has been added to the group in the AD.

It should't be affecting DNN Only Roles and I just did a quick test on my dev portal and the user wasn't removed from the DNN only role but I'll double check the code when I get back from my meeting.

I'll cover the rest of your comments when I get back as well.

EDIT: I stand corrected on the DNN Only roles and I'll get that fixed up ASAP. I tested against a role that I thought wasn't part of my AD but I guess it was.

Also, there's nothing I can do if a user has the ability to add themselves to an AD group, hits the site, see information they shouldn't, and then removes themselves from the group. Only people with proper permissions can change group memberships and one hopes that those who've been given such permissions are trustworthy.