Issue with Site Collection Admins, AD groups and GetUserEffectivePermissions in Sharepoint 2010

As you may know I have been working on a custom Request Access page for Sharepoint 2010. During the process of this I ran into an interesting issue related to using AD Groups for your Site Collection Administrators and what is returned by GetUserEffectivePermissions and DoesUserHavePermissions. To simulate you can do the following:

1. Create a New Site or Site Collection.
2. Create an AD Group that contains "Admin, User1" and "Admin, User2".
3.  Add this AD Group under Site Actions > Site Permissions and then Site Collection Administrators.
4. Add "Owner, User1" and "Owner, User2" to your owners group, and "Member, User1" and "Member User2" in your members group.

Now create a small web part of aspx page that loops through and lists people with FullMask. I use FullMask because we are migrating sites from 2007 which mucks the owners group and we cannot rely on end users to actually use the owners group. The code I have used is:

using (SPSite siteCollection = new SPSite(SPContext.Current.Site.ID))
{
     int userCnt = 0;
     SPUserCollection userCollection = siteCollection.RootWeb.SiteUsers;
     foreach (SPUser user in userCollection)
     {
          string userSTR = user.Name;
          string userPERM = siteCollection.RootWeb.GetUserEffectivePermissions(user.LoginName).ToString();
          if (userPERM.Equals("FullMask") && !user.IsSiteAdmin)
          {
               userCnt++;
               ownersOUTPUT.Text += userSTR + "</br>";
          }
     }
}

When you run this you should only see "Owner, User1" and "Owner, User2", which would be what you would expect. Now add "Admin, User1" and "Members, User1" to your owners group and reload. As expected, you should now see "Admin, User1" and "Member, User1" listed as well. Finally, remove "Admin, User1" and "Member, User1" from your owners group and refresh. You should see what I am talking about.

"Member, User1" should disappear like you would expect, but "Admin, User1" is still listed and will not go away. Notice my code excludes users where IsSiteAdmin is true. Try adding "Admin, User1" directly to Site Collection Administrators and reload. Poof, he is gone.

This is because when a user is added directly to Site Collection Administrators IsSiteAdmin returns true; however, when the user has access via an AD Group in the same location IsSiteAdmin returns false. I assume that this works properly before "Admin, User1" is added directly because the users permissions do not exist via the sharepoint table. However, when you add the user to the site a record is create and is not properly cleaned up when removed due to them being referenced as Site Collection Administrator via the AD Group.

I have not been able to test removing a user from the AD Group as that is just not a simple job in my environment. I have contacted our Microsoft Rep for more information on this, and will provide more information once I recieve it.