This is the output from both IPA server and client:
From IPA Server:
# id mspezie@example.org
uid=1070607073(mspezie@example.org) gid=1070607073(mspezie@example.org) groups=1070607073(mspezie@example.org)
1070603934(linux power users@example.org)
1070600512(domain admins@example.org)
1535800006(ad_admins)
1535800000(admins)
....
1070600513(domain users@example.org)
# id freeipa@example.org
uid=1070607388(freeipa@example.org) gid=1070607388(freeipa@example.org) groups=1070607388(freeipa@example.org)
1070600513(domain users@example.org)
1535800006(ad_admins)
1535800000(admins)
From IPA Client:
# id mspezie@example.org
id: mspezie@example.org: no such user
# id freeipa@example.org
uid=1070607388(freeipa@example.org) gid=1070607388(freeipa@example.org) groups=1070607388(freeipa@example.org)
1070600513(domain users@example.org)
1535800006(ad_admins)
1535800000(admins)
The only difference from these two accounts is that freeipa(a)example.org is present in cn=Users and mspezie(a)example.org not.
All the AD groups associated to mspezie have a name