OK. Tracked it down but it is sort of weird.
I had the Orchestrator account in the vcoAdmins@system-domain group tied to the AD account. (i.e. the vcdAdmins@system-domain contained user@my-domain as part of the group)
I dropped it and re-added user@my-domain (same account, same domain, same AD server.)
Restarted Orchestrator client.
Viola! No issues.