Some things to look for:
Are there duplicate objects in the tree for that device? ie is the laptop in there twice?
Are they talking to an Agent Handler or to ePO?
In the log files that are generated after enabling logging in the registry, you can do a search for the user IDs to see if their IDs have been downloaded. I think you can see it each time it syncs.
Also check to make sure add local users is NOT checked in the policy being applied.
Is ePO showing any errors when you querry the device for eeAdmin events, things like eventID 30003 Token Initialization event, 30017 General Exception Event?
- There are no duplicate entries for that device in ePO, only one entry;
- We use ePO, the machine talks to ePO (agent 4.5);
- I searched for the user ID, but is nowhere in the log, even though the ePO agent shows correct communication;
- Add local users is not checked in the policy;
I now see that an error message appears in the log file:
- epepcuserhandler.cpp / epepc_user_handler::get_users_times: 438: [0xEE050014] / failed to open file
- epeepodatachennelhandler.cpp / activate_update: 784: [0xEE01000E] [0xEE050014] / failed to open file
- mfepecredentialproviderservice / epeutil_fsm::run:177: Wait for messages was aborted
The problem is solved by performing an Emergency Boot.
I now see the users in the logfile and am able to login with these accounts.