That's a good thought. The computer is definitely a member of the domain, and it can communicate with the domain controller because (with proper elevation) I can execute commands that require domain membership, such as NET LOCALGROUP groupname domain\user /ADD and they work.

However, the machine is a VM image which gets restored from a standard VMWare restore point, and it's very possible that the domain membership goes a bit wonky in those cases. I'll try refreshing its domain membership and see if that fixes it.