VPN works great UNTIL users logon or off the domain, then tunnel breaks!

No chance it is related to the number of licenses? Soniwalls are sold with a specific number of user licenses and that cannot be exceeded. On a LAN, if for example you have 10 licenses, the 11th user will be blocked. I am not sure about the VPN connections. It is possible the new LAN user may have priority over the VPN user and "bump" them.
Just a thought.

Not likely. The device is licensed for five connections, with only three people in the office. I spoke with AT&T and it seems the provisioned DSL is WAAAAY past their 13k distance limit. The problem seems to be corrupted packets killing the circuit - as soon as the firewall is rebooted, everything works fine again. As soon as someone tries to logon, BANG. Circuit dead. I was following the theory that I was dealing with malformed packets and changed the MTU size (matched) but that didn't do it. Somehow the logon process is sending data using specific services/ports that this line does not like. I am using the identical setup for four branch offices with identical equipment - the other three offices work perfectly. Scratching my head...

DSL did have a 4. or 4.7 km distance limit. They have extended that but sounds like they are pushing the limit at your site. VPN's do require stable connections with consistent ping responses of less than 125ms, and preferably less than 50ms, with stable being the key.
Do you have the option of changing providers?
How low did you set the MTU? Try the VPN client at 1200 if you haven't done so already.

With apologies to anyone reading this in the Eureka, California area - the wiring infrastructure there is nothing to write home about. The area is prone to almost constant corrosion problems, the B-box punchdowns are probably not very clean, and the demarc locations are often wet. Changing carriers won't do anything because they would have to use the same lines. I'm leaning in the direction of poor infrastructure as my problem, since when the circuit is working all network resources 300 miles away are accessible without any problems. Burp the line with unexpected packet traffic or dropouts and that's all she wrote. I'll wrap this thread up after I meet with technicians this morning.

Sounds like it is systems out of your control.

Well, it's not my configuration. I had a network technician onsite to double-check my VPN. When it's up it works like a champ. When we tracert and ping tested the connection it was all over the place - sometimes over 450ms for stretches. I'm still curious though - what is it about logging on that kills the connection? I can only assume it has something do to with traffic related to authentication, but all that stuff is passed on the firewall. Weird.