This issue can be resolved by configuring the hub NOT to cache the group membership information, but instead, to look up each user as they log in, in order to determine what groups they belong to. This can slow down the login process by a few seconds but will otherwise resolve the performance problems seen in such environments.
To set this up, backup and then edit the hub configuration file (hub.cfg) and set the following keys under the LDAP->Templates->Active Directory section:
(that last key should be set to a blank value, removing the default value 'memberOf').
Restart the hub after saving the file.