Dynamic users get deleted whenever there is any change in the Windows Database Configuration.  In order to recalculate group membership after a mapping change SecureACS must purge dynamic users.  This is a problem when you have set user-specific properties.  One workaround is to create manually-defined users – they can still use Windows AD authentication, but won’t be deleted if you reconfigure database mappings.