When enabled VGP will apply the Windows Group Policy settings of "Allow Login Locally" and "Deny Login Locally" over any users.allow or users.deny settings.
This leads to a change in the expected behavior for access control, making it so that what is in the users.allow and users.deny files is not used if the Group Policy settings exist in Active Directory (AD) for the given machine(s).
To enabled this the following setting can be configured in the vgp.conf file:
ApplyWindowsHostAccess = true
When the above is set to "true", it enables this behavior (this will be disabled by default).
If this is set in the VGP Group Policy Object to enabled, then AD is still authoritative, as root cannot stop this from applying when vgptool processes the AD policies.
This is a more secure setting, allowing AD to be an authoritative source for access control.
Root can no longer decide who has access to the given machine, as AD is telling VAS directly what access policy to use.
What is undesirable is that there was no way in AD to turn this policy setting off, and it was affecting users not interested in this new functionality.