Thanks for the reply.
The VMs are in the same OU as the physical machines, and we don't have any GPO settings for them anyway.
We haven't done anything to the master template for at least a month, so I ruled that out, too.
It's almost as if the permissions for these 2 users are reverting back to a generic Domain User, which is enough to get them logged into the virtual but not to get any of their special permissions.
We're completely baffled by this whole thing...