The auth_membership group parameter controls whether puppet ensures the group contains exactly the members specified, and no more, or contains at least the members specified. By default, the group parameter defaults to the former, which is opposite to the auth_membership user parameter. This makes the group parameter difficult to use in practice, because you need to know what the complete set of group members should be. For example, on Windows the local Administrators group may contain a combination of local and domain user/group accounts, and that may vary across different types of machines.
We should change the auth_membership group parameter to default to false so that it is consistent with the user parameter.