Run the delete script:
And then the following to confirm the issue is cleared.
/opt/quest/bin/vastool flush groups
Upgrade to QAS 4.0.3 Maintenance Release if lower than 18.104.22.168 version.
Enable vasd debug, instructions located here:
Capture the output of running the following:
/opt/quest/bin/vastool list -f users-allowed
Examine debug for: "Failed to process token groups for"
Once you have the user or users run an attributes dump against the user(s):
#/opt/quest/bin/vastool -u host/ attrs <username>
Look for anomalies in the user attributes, could be something like failing to escape a character in their distinguishedName, so the ldap query gets rejected. Or perhaps having a "," in their CN. If the reason isn't apparent open a support ticket and provide the debug output and details.
This error can be safely ignored