net user /domain returning Error 5 - Access is denied

It looks like you've somehow managed to prevent enumeration of the builtin groups. That net user call opens connections to two domains as part of it's operation:

1. To your AD Domain based on the domain SID.
2. To the BUILTIN domain based on the widely known SID for that (S-1-5-32).

Most of the queries are done to the first connection, one is passed through the second. This pass turns $YOURDOMAIN\Domain Users into the widely known principle of BUILTIN\Domain Users (S-1-5-32-545), which the system knows to treat special. When the connection to the BUILTIN domain is rejected, the whole call fails.

Check the permissions for the Builtin AD container in your domain tree - it should have an "Authenticated Users:Read" ACE. Also the enumeration of the Builtin container should be allowed - an Authenticated Users:Read ACE for the top level of the domain should take care of this too.