The product is working as expected. The getent password command returns the user which is in the cache. The user is in the cache but it does not mean that they have access to the system. The users.allow controls access but not who is in the cache.
1 - Run the command: /opt/quest/bin/vastool list -f users-allowed
This command will report Unix enabled AD users which have access to the system.