The issue is resolved in NSX for vSphere version 6.4.0
Membership events in an LDAP environment are not sent immediately to NSX Manager. Instead, a delta sync process runs every three hours. A full sync must be triggered manually. After a full sync completes, NSX Manager deletes user objects with a last modified time older than the full sync start time.
In addition, after eight hours, the user is "logged off" automatically, and the VM is moved out of the security group.