If the user attempts to log on without the trailing $, the attempt is successful?
This behavior is by design and caused by Kerberos (and other authentication packages) retrying when the account is NOT found. When the package retries, it appends a $ to determine if the account is a machine account or a user account, because Windows domains store computer account names with an appended $.
NOTE: An exception to this rule is when both accounts exist, xxxx and xxxx$. In this case the log on only succeeds if the xxxx account is found.
NOTE: There is no rule prohibiting the use a $ in the user name.