If he adds a new User to the Security Group and runs the User AD Import Rule, those new users are added and removed as well. It seems that some previous Users got stale references to the AD Filter.
The affected Users lost their association to the original User AD Import Rule. So, when the regular User AD Import Rule runs, it doesn't see those Users as part of its evaluation.
These Users got out of sync between "Inv_Security_Groups" and “Inv_Import_Rule_Imported_Items” tables.
ITMS 8.1 RU7
The simplest way is to re-associate the Users back to the User AD Import Rule and let the AD Import process take care of those Users.