RESOLUTION 1:
Run the delete script:
/opt/quest/libexec/vas/scripts/deleted_check.sh
And then the following to confirm the issue is cleared.
/opt/quest/bin/vastool flush groups
RESOLUTION 2:
Upgrade to QAS 4.0.3 Maintenance Release if lower than 4.0.3.193 version.
RESOLUTION 3:
Enable vasd debug, instructions located here:
https://support.oneidentity.com/authentication-services/kb/27000/
Capture the output of running the following:
/opt/quest/bin/vastool list -f users-allowed
Examine debug for: "Failed to process token groups for"
Once you have the user or users run an attributes dump against the user(s):
#/opt/quest/bin/vastool -u host/ attrs <username>
Look for anomalies in the user attributes, could be something like failing to escape a character in their distinguishedName, so the ldap query gets rejected. Or perhaps having a "," in their CN. If the reason isn't apparent open a support ticket and provide the debug output and details.
WORKAROUND:
This error can be safely ignored