A couple of things come to mind here:
1. Are these particular Windows users mapped to a specific PI Identity, or are they defaulting to World access after explicit and trust authentication methods fail? Perhaps they are missing an AD group membership that's mapped to the correct PI Identity...?
2. Is it possible that these users are using an older version of PI-SDK?
PI SDK Version is 22.214.171.1244 (19-08-2016). This users just like the rest of the organisation should be coming in on the mapping All Domain Users to piusers identity.
What I have noticed in the message log is the persistent entries every 20 seconds. What could that possibly indicate?
OK found one of the issues was the user was still logged into another PC at another geographical location unaware. Forced the log off remotely and the log file is all quiet now. Thanks for your suggestions.