Customer configuration. Workstation mode is set to true and workstation-user-preload group is populated.
The root cause of this issue has to due with the configuration. A non-unix user is in a workstation-user-preload group, so they are cached. Then the user is unix enabled in AD. Then nss calls now fail because they see the cached non-unix user so vasd does not update or request from AD. If they weren't cached at all they would be looked up. ( Default force-if-missing behavior.)
And since they are cached they don't get groups, so could be missing group memberships until working login.
/opt/quest/bin/vastool user checkaccess <username>
/opt/quest/bin/vastool list -f user <username>