Strange but true - How could a local restricted user profile's NT password overwrite the restricted users domain-based cached NT login password?

Tablet OS: Windows XP Tablet Edition 2005 v2002 sp2

We have a large remote user community who use the VPN to download e-mail, etc. They rarely use a GINA-VPN login but can access company info after logging into their cached domain profile (cachedlogonscount=10) and using the VPN. Some of these users are required to attend training events at regional offices or hotels. For training, they are asked to log into a local training profile so that training materials do not impact the live domain profile. The system does have UPHClean and requires the date/time to be set months even years prior to meet certain training scenarios.

The issue is that after accessing the local training profile (non-complex password), a few of the users experience a strange anomaly where the local training profiles login password has replaced the live users login password (complex password and maxpassage=60 days). The easiest way for us to resolve is to have the user log into the live profile via the GINA-VPN and refresh their credentials.

Please note we have not been able to reproduce the issue in the lab and are still in the process of capturing an image or tablet that is exhibiting the issue.

Im turning to you for thoughts on how this could be possible and where the breakdown might be occurring? Expired domain password, corrupt cached credentials or password verifier, incorrectly mapped SID/GUID? Thank you in advance.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PharmaEMTAuthor Commented:

So the challenge presented is to reproduce how a local trainme profiles password can replace a domain users cached password. Im pleased to report that Ive made some headway on the issue:

Environment: My corporate Dendrite DELL Latitude D620 with a VMWare sanofi-aventis image

Local training user = train**/train**/(local)
Domain user = ex00763/mypassword/Rx
Local admin = admin/bogus2008/(local)

1.      Login as the domain user with ex00763/mypassword/Rx
2.      Put the tablet into hibernate under the domain profile
3.      Allow the tablet to hibernate
4.      Power on the tablet
5.      Instead of passing the domain user at the login screen, pass the local admin credentials
6.      Wait for the local admin profile to load
7.      Logoff the local admin
8.      Login to the domain user as ex00763/mypassword/Rx
9.      Wait for the domain profile to load

While these steps dont prove it can be done with the local training user, it does show that local admin password can be passed to the domain based profile after resuming form hibernation. Any ideas why?
PharmaEMTAuthor Commented:

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Networking

From novice to tech pro — start learning today.