You are not able to run certain commands due to group memberships missing and vastool flush resolves but only temporary.
Nested group are groups within groups.
**Please note that as of version 4.0.3.189 preload nested membership is now true by default. If you are using more recent version, then if the settings is not in the vas.conf means that preload nested membership is set to true.
The following steps are necessary if it has been set to false in vas.conf:
1 - Run the following command which will add the preload-nested-memberships setting in the /etc/opt/quest/vas/vas.conf file under the vasd section:
#/opt/quest/bin/vastool configure vas vasd preload-nested-memberships true
The setting in the /etc/opt/quest/vas/vas.conf will look like this:
[vasd]
preload-nested-memberships = true
2 - If not in workstation mode, run the flush command below:
#/opt/quest/bin/vastool flush
Here is a description of the configuration setting from the vas.conf man page.
preload-nested-memberships = <true | false>
Default value: false
When groups are given through nesting, the nested memberships are normally processed only through login events. Turning on groups-for-user-update will make the memberships be processed when the user account is updated through a by-name request. This option will cause vastool, whenever it loads the user and/or groups cache, to also iterate over all users triggering nested group processing for each user.
NOTE: Quest has improved the performance of the preload-nested-memberships option and recommends that you set it to true in nested group membership situations.
Another reason for the nested group not being cached is if the group is not Unix-enabled. Access control will still work without Unix-enabling, but the group will not be cached as it will not have any Unix GID unless it has been unix enabled.
© 2025 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center