When users are in one domain and their groups are in another domain, user override by group can be erratic and not apply correctly after a flush.
When a client is in workstation mode and the users are foreign security principals in groups that are in a different domain, it takes a while after a flush before the group is detected so that the override can be applied.
This was first discovered in an environment where a domain migration was happening; every night some users would be moved to the new domain, so QAS had to be flushed after the nightly move. Since the clients were in workstation mode, this was emptying the cache.
The solution is to disable workstation mode for the duration of the migration and to add cross-domain user and group search capabilities to the [vasd] section of vas.conf.
group-search-path = DC=domain-one,DC=com;DC=domain-two,DC=com
user-search-path = DC=domain-one,DC=com;DC=domain-two,DC=com
cross-domain-user-groups-member-search = true