Group policies that contain a Computer object in the Security Filtering section will not apply when using Authentication Services 4.1.20185
Product Defect: 338119:
When vgptool looks at permissions, it uses tokenGroups to find all the SIDs that should be allowed. It does not use its own SID, which also could be used to allow.
Fixed in QAS 4.1 Maintenance Release