If the user attempts to log on without the trailing $, the attempt is successful?

This behavior is by design and caused by Kerberos (and other authentication packages) retrying when the account is NOT found. When the package retries, it appends a $ to determine if the account is a machine account or a user account, becauseĀ  Windows domains store computer account names with an appended $.

NOTE: An exception to this rule is when both accounts exist, xxxx and xxxx$. In this case the log on only succeeds if the xxxx account is found.

NOTE: There is no rule prohibiting the use a $ in the user name.