If you use WindowsIdentity or LogonUserIdentity , it will collect group information from the authorization information stored on the Kerberos Ticket (TGT).
This is powerful and useful, because once you are authenticated and receive Kerberos TGT, you do not need to query Active Directory again to get all the group information. Listing groups is actually quite expensive and complicated. Therefore, the Kerberos cache approach is preferable, and this approach is used when accessing any Windows resources.
However, this also means that after adding a user account to a group, the WindowsIdentity or LogonUserIdentity approach will not know the new groups. You must clear your Kerberos ticket and get it again. You can log out and then log in, or you can lock your screen and enter a password to unlock the screen.
If for some reason you still want to enumerate the groups yourself, I recommend using UserPrincipal.GetAuthorizationGroups in .NET 3.5. It returns all security groups to which the user belongs.