Completely forgot to ask about what I was most curious about.
If I view the Audit information of the effected users, I see an entry for "Recovery Started" right before they are unable to login, and then every time they sync I see it again. I feel like this has to be what is causing our problem, but I can't find any information on the event ID or why it would be trying to recover without any input from IT staff.
can you grab a client log? The only reason I can think of is someone has been tinkering with your back end db - maybe they restored an old version of the top of it. The client log may give us some hints.
Recovery started I think is logged if the user hits the recover button.
Changes you make not sticking are usually because an admin has connected with the wrong time/zone on their pc - setting a timestamp far in the future. You need to recreate the token to solve this - just resetting it won't change the timestamps, so do a create token on the problem user.
Maybe someone bought an old machine online, and tried guessing the passwords for the users - that would flag them system wide and would cause token updates (if they were eventually able to login on that old machine anyway).
Thanks for the reply. A different group houses the actual server/DB so it is possible someone messed with something without our knowledge, but it happens every time the user sync's again, so a 1 time DB restore to an older version doesn't seem a likely cause.
The timestamp thing looked like a promising cause, I saw a few other threads about that. But that is also not our issue.
Our IT staff is too small to have someone randomly bring a system back online and not say anything after issues started. And our users only have access to one system each. All of our systems are tracked pretty well, there are no "rogue" systems out there with MEE installed.
After looking around here, i saw alot of threads about problems occuring with SSO and with the option to set the MEE PW to the current windows PW automatically. We dont use SSO, but we do use the "password sync" option. I decided to just turn that off and voila. So far it has fixed the issue on 8-9 computers.
Any idea why an option which has been set for years would all of the sudden cause a widespread problem like this? It seemed to take effect right after the most recent windows update...is it possible that Microsoft closed the "hole" that allows MEE to grab the password and is corrupting the MEE password?
I don't see anyone else reporting a problem, if it was the Microsoft update, you'd have thought it would have affected everyone.
Did you have the "must match username" ticked in the Window Login policy of the machine? If you view the SSO creds of a broken user - does the user name for Windows match the pre-boot user name?
Did you get a client log - I don't see one attached.