Error: Cannot resolve access control group
In the Group policy management tool, if you choose "Add Custom" and type in the name and select User, it doesn't put the UPN into the users.allow file. Therefore QAS thinks it is a group instead of a user.
In the Group policy management tool when editing the users.allow file choose "Add User for users.
In the users.allow file the full UPN of the user must be in the file. For example: email@example.com
Here is some information from the users.allow.sample file:
-bash-3.00# more users.allow.sample
# Sample users.allow file
# This assumes that the host has been joined to the example.com domain.
# To validate users.allow file: vastool status allow
# Allow members of the sales group to log in.
# Allow members in rc.red.example.com's tg-1-g to log in (domain\SAM account).
# Allow users that belong to the engineering OU.
# Allow members in the example.com realm (domain) to log in.