I am chasing a nagging problem in our environment and I am hoping the smart folks in this forum can offer some advice.

Our Logon Script has a block of code that sets a number of User variables based on the user's AD Group membership. This code has been running [mostly] flawlessly for a long time (15+ years). A few months back, we started seeing errors for some users when running the INGROUP function -- which caused a cascade of errors when running other Logon Script modules.

Skipping all of the gory troubleshooting bits, we discovered the Kixtart TokenCache (hkcu\software\kixtart\tokencache) is truncated on machines throwing the error. Actually, it appears to quit after the Machine (local) group membership; none of the Domain groups (Local, Global or Universal) appear in the Token Cache. I also noted machines with truncated token cache are missing the CacheAge value.

The command line that runs the Logon Script already contains the /F parameter to flush the cache before each run, so we should be OK.

We have a variety of manifestations of the error:

- The error does not occur during every logon for some users
- The error does not happen - for everyone
- The error happens on every logon for some users

I can find no common denominator for users consistently getting the error -- or any other common denominator for that matter.

After the error happens, if I manually run the Logon Script, the error may or may not happen again (50/50).

The error does not appear to follow the user to another machine. A different user logging onto a machine that exhibited the error previously may or may not have a problem. It usually does not for new user profiles.

My environment looks like this:

- Windows client-server domain with two-way (in and out) Trusts to five (5) other domains
- Forest functional level: 2003
- Domain functional level: 2008 R2
- Domain Controllers: 57 DCs in 53 sites; Server 2008 R2
- Clients: Windows 7, SP1, 32-bit
- We are [mostly] current on patches
- Kixtart version: 4.62.

I have already read through some of the other posts on this topic (http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=196497 and http://www.kixtart.org/forums/ubbthreads.php?ubb=showflat&Number=193933#Post193933). I tried installing MS KB262958 (it is "not applicable" to our systems). I also looked at http://support.microsoft.com/kb/976494 and the related Hotfix ... no joy.

Deleting and recreating the User Profile does not fix the problem either.

Over the past few days, I "fixed" about a dozen machine by running "wkix32.exe /F" by itself, confirming the token cache was removed from the registry (hkcu\software\kixtart\tokencache), running a script with a single INGROUP function in it ($_ = ingroup("domain users")), confirming the token cache was rebuilt successfully (including the CacheAge value) and then restarting the machine. Problem solved, right? i would like to think so and most of the machine are still OK but I have 3 machine that are broken again today.

I'm pulling my hair out here! Any insight / assistance will be most-appreciated.