If a user logs into a system using a password, their groups should be mostly identical for any system on the domain. Domain local group memberships can change ( domain local groups are only supposed to show up when logging into the domain they are in. )
If they don't log in with a password, vasd makes a best effort to get their current memberships using the tokenGroups attribute in AD, but that can be incomplete.( Especially cross domain. )
Here is a command to see what groups are listed in a user's PAC:
# /opt/quest/bin/vastool -u <user> auth groups
Also /etc/opt/quest/vas/vas.conf setting differences and pam configuration could also cause different behaviour on machines.