Yep, I have an "audit.kix" script that runs when the error happens to dump the network, environment and a number of other bits out to a text file. That text file is then emailed directly to me. The Environment is fine. The output of "net user %username% /domain also shows the user is a member of the group reference in the "ingroup" function. In other words, on the surface, everything looks as it should be. Again, the problem appears to be with the truncated token cache in the registry.
My solution, at this point, is to remotely hack the user's registry to clear out the existing token cache and then reach out to my local techs to have the user run the Logon Script at their convenience.
reg query \\computer_name\hku
- this shows me a list of user hives/guids; I look for one with *_classes and copy it (sans _classes)
reg delete \\computer_name\hku\S-1-5-80-1234567891-2345678912-3456789123-4567891234-5678912345\software\kixtart\tokencache /va /f
In all but one case after running this "fix", the problem has not recurred. The burning questions remains though ...
1) What caused the problem in the first place?
2) Why doesn't the problem affect everyone? Only a small percentage (less than 1%) of my users are throwing this error.