After performing a flush or joining VAS to the domain, if there are two groups in the /etc/opt/quest/vas/users.allow file, one UNIX-enabled and one not, "/opt/quest/bin/vastool list users-allowed" shows only the users in the Unix-enabled group.
If you run a "/opt/quest/bin/vastool user checkaccess" on a user in the non UNIX-enabled group, the "/opt/quest/bin/vastool list users-allowed" then shows all the users in both groups.
While this doesn't affect the access control, when a user attempts to login, it does make performing certain types of audits on who is allowed access to the system difficult.
Authentication Services does not cache non UNIX-enabled groups until a user who is a member of one logs in, or the group is looked up specifically using "vastool".
Add this option to /etc/opt/quest/vas.conf:
expand-ac-groups = true
This may cause cache loading after a join or flush to take longer depending on how many groups are being added, however it should correctly load all of access control groups.