Wordpress WPMU Login consistency across multisite

I'm working on a WPMU multisite install but have run into a wee problem.

I create a user during a signup process on my primary domain. With something like the following.

$username = 'myname-'.time();
$user_id = wpmu_create_user($username,'anypassword','example@gmail.com');

add_user_to_blog(1, 5, 'subscriber');

$user = wp_signon(array(
"user_login" => $username,
"user_password" => 'anypassword',
"remember" => true
));

What I do is create the user, and then assign it to the primary domain only, and the log the user in with wp_signon. However, when visiting a subsite of the network on a sub domain which is importantly very restrictive in it's access. I am still logged in and the dashboard menu at the top still shows.

I used is_user_blog() to try and determine whether the user should be able to see this and could direct them to the login page of the sub domain. But this would mean terminating the existing login session on the primary domain. Ideally it would be cool if you could be logged in to the primary domain and also logged into the sub domain but both treated seperately.

Anyone run into this problem before?

Yes, I had this issue. And, if you need special user management, you'll have to set up a new autonomous (single site) WordPress installation.

That's the way Multisite works. All users are automatically included as subscribers of all sites in the network.

From the article Don't Use WordPress Multisite:

If you need users to be on different sites, but not aware that they’re on a network, don’t use MultiSite! Now, yes, there are ways around this, however it’s an auditing nightmare for any large company, and a security risk that you should be aware of before you start.

This plugin may be of help (but am not sure): Multisite User Management.

From this recent answer I gave on WordPress StackExchange, some little hacks may be helpful:
^{(I did small tests in my development environment, but please, test extensively)}

/*
 * Redirect users that are not members of the current blog to the home page, 
 * if they try to access the profile page or dashboard 
 * (which they could, as they have subscriber privileges)
 * http://not-my-blog.example.com/wp-admin/profile.php
 */
add_action( 'admin_init', 'wpse_57206_admin_init' );

function wpse_57206_admin_init()
{
    if( !is_user_member_of_blog() ) 
    {
        wp_redirect( home_url() );
        exit();
    }
}


/*
 * Redirect users that are not members of the current blog to the home page, 
 * if they try to access the admin
 * http://not-my-blog.example.com/wp-admin/
 */
add_action( 'admin_page_access_denied', 'wpse_57206_access_denied' );

function wpse_57206_access_denied()
{
    wp_redirect( home_url() );
    exit();
}


/*
 * Redirect users that are not members of the current blog to the home page, 
 * if they try to login
 * http://not-my-blog.example.com/wp-login.php
 */
add_filter( 'login_redirect', 'wpse_57206_login_redirect' );

function wpse_57206_login_redirect( $url )
{
    global $user;
    if ( !is_user_member_of_blog() ) 
    {
        $url = home_url();
    }
    return $url;
}


/*
 * Hide the admin bar for users which are not members of the blog
 */
add_filter( 'show_admin_bar', 'wpse51831_hide_admin_bar' );

function wpse51831_hide_admin_bar( $bool )
{
    if( !is_user_member_of_blog() )
    {
        $bool = false;
    }
    return $bool;
}