Our OCS client gave an unknown error when trying to expand Distribution Groups. After lots of searching I found this http://blogs.technet.com/greganth/archive/2009/03/26/office-communicator-error-message-received-when-expanding-a-group-distribution-list.aspx.
After trying this we still had the issue. So after finding out that you can test groupexpansion when connecting to the DG URL from the OCS server itself (localhost), I got an error message.
System.Security.SecurityException: Duplicate token failed
at Microsoft.LiveServer.DLExpansion.Service.ThrowSoapFault(Exception e)
at Microsoft.LiveServer.DLExpansion.Service.CheckAuthorization(SearchResult dnResult, DlxGroup& result)
at Microsoft.LiveServer.DLExpansion.Service.ProcessADRequest(String key, DlxGroup& result)
at Microsoft.LiveServer.DLExpansion.Service.ExpandDistributionList(String groupMailAddress)
There still was a problem with rights and probably with impersonation. I found out the application pool was using the RTCComponentService instead of IIS_WPG. Giving RTCComponentService impersonation rights fixed it!