Agent groups can be defined by User Attributes or an Endpoint server.  Think of the agent group as a filter.  As long as the filter matches, they will be assigned that group.  Priorities do come into play, please review this article: Viewing and managing agent groups in DLP. <https://knowledge.broadcom.com/external/article?articleNumber=174254>

Endpoint server:  You CANNOT move users to an Agent group setup for Endpoint server.  It's specified in the agent configuration and it's tied to the server connection attribute.  If you have explicitly set up your agent to connect to a particular endpoint server, they will automatically show up in this group.  

User Attributes:  You CAN move users to agent groups setup for user attributes.  The reason for this is these are controlled by user attributes and can be from AD or another source.  These attributes can be dynamic and is pulled from the host itself.  For example, like hostname or Office location or City etc.  For this reason, you can actively move users from one agent group to another as they are dynamic.