Some vastool command output has changed in Authentication Services 4.x. Many error messages have been changed to be clearer and more informative. If you have scripts written to vastool you should test these scripts before rolling out an upgrade particularly if you parse vastool text output. Take special note of the following changes:
Access for service <service> by <user> is allowed. Access for service <service> by <user> is not allowed, <reason>.
ALLOWED [user=<user>] [service=<service>] DENIED (<reason>) [user=<user>] [service=<service>]
This makes the result of the access check more obvious.
Authentication Services 4.0 changed the format of the internal database. Thus, when upgrading from VAS 3.x to 4.1, all stored disconnected credentials become unusable and will be flushed. You will not have disconnected credentials until you have successfully logged in during a connected state.
VAS 3.5 provided vasfilter.adm which allowed you to create limits on Unix values in the ADUC snap-in module. In Authentication Services 4.x you set the Global Unix Options in the Control Center under Preferences.
In VAS 3.5 the pam module was placed at the top of the PAM stack. In Authentication Services 4.x it is placed just before the local password validation module, usually pam_unix. When Authentication Services configures the PAM stack, it converts multi-line entries to one-line entries.