@erbrown Welcome to the forums!
A few things you could inspect:
- Check the AD logs to verify that IIQ is the one enabling the user.
- Review the identity cube to see if the user has a role that enables a user. Roles assigned to users may revert any changes made directly in AD.
- Review the scheduled tasks looking for custom tasks running any rules. If they are any rule-based tasks, search for the actions you mentioned in the code.
- Review your task results to see what completed around the time of the last modified date of the affected user.