When agents are connecting via VPN they are not in contact with the Active Directory server when the system first boots up and the agent is initialized.
You will receive the error "Active Directory user group resolution failed"
With 15.5 MP2 and later we will re-initialize that process when a network change is detected.
Sometimes the underlying connection to the AD server can take longer than expected.
DLP 15.5 MP2 and later
In agent configuration advanced settings find the key labeled CONNECT_DELAY_POST_WAKEUP_OR_POST_VPN_SECONDS.int
Increase this value until the issue is resolved