Couple of things to check. First, check the job scheduler (WRKJOBSCHE) to
see if job QSECIDL1 exists. This job is added if someone were to run the
ANZPRFACT command with a specified number of days. If someone ran the
command and entered 1 for the number of days, then any profile object
who's last used date on the profile object is greater then one day, then
it will disable the profile.

The next place you check, assuming security auditing and the appropriate
system values are set, is the security audit journal. Enter the following
command...

DSPAUDJRNE ENTTYP(CP) FROMTIME('01/10/2006') OUTPUT(*)

You can adjust it for your desired time and date period. If a change to a
profile was done, it will show you the profile who changed it, what
profile they changed, and the date and time of the change. Armed with
the person who made the change enter the following command..

DSPJRN JRN(QAUDJRN) FROMTIME('01/10/2006') USRPRF(<user who made the
change>)

will display the internal details of the security audit journal (adjust
the date and time accordingly). Locate the time with associated entry of
type 'CP' and place a '5' next to it to display the entry. Press 'F10 if
its not already displaying the display audit entry details and it will
show you the who, job name, program, etc...everything you could possibly
want.

Hope that helps.

Thanks,
iSeriesDude.

Another place to check is users trying to connect via iSeries Access or
Netserver. If these attempts fail, the userid can get disabled. I
had a company that gave everyone an "X" drive mapped to IFS. When
their windows passwords changed, they got disabled because the
Netserver share was failing. This can occur even if they aren't
"opening" the drive.
Also, there used to be an issue using mixed case passwords when
accessing via Netserver. I don't remember when it was fixed.