Scenario: dynamic group with two memberquery values attached.

This is the assigned to a level 30 role, which is linked to a child level
20 role that has several level 10 roles linked to it.

Each level 10 role has a single resource assigned, each with a static
entitlement assigned. These are all user account type entitlements.

We have quite a few of these constructs for different companies within
solution. They are all set up same way, pretty much only differ in naming
and company specific ID.

Been working just fine. Until recently that is.

RRSD set up to evaluate dynamic groups every 60 mins (default).

What we've seen is that the RRSD driver revokes an assigned resource on
many users at a time of day when those users aren't actually updated by any
input driver (data from user source retrieved once per day, in evening).

For example the RRSD begins a mass revoke at 1PM of users that should still
belong to a specific role (according to the group criteria). The odd things
is that none of the attributes used in the dynamic group criteria have

About the only thing that might conceivably be changing on these users at
1PM are changes synced back from AD (really just password, though other
attributes can event for reset.)

Anyone seen similar? Ideas as to how to troubleshoot?