You define User Groups on the Enforce Server.
User Groups contain user identity information that is populated by synchronizing the Enforce Server with a group directory server (Microsoft Active Directory).

Symantec Data Loss Prevention Enforce

First, you have to create a Group Directories connection to connect the Enforce to the AD LDAP server.
System > Settings > Directory Connections > Add Connection

When you create a User Group, it shows immediately.

When you create or change a User Group, select “Refresh the group directory index on Save”.
Once you click save, the User Group profile is updated with the latest index replication.

You do not have to index each time. 
You control when you want to index on the "Index Settings" tab.
If you change the Group GUID, then you need to re-index. 
You can set the Group Directories connection to “never” and only do the index through the User Groups when it is required.

The indexing process saves the information locally on the Enforce Server into an encrypted file, RDX, into the ..\Protect\index folder.
The RDX file is later pushed to the Detection servers.

The AD cache is stored on the Endpoint Agent in the SQLite grp.ead database.