Why do some users in an AD group fail to import on an ldap import?

Sometimes the AD or LDAP users get out of sync between the access and credential management database tables.
An out of sync issue can happen occasionally for different reasons (users are moved between groups, principal names are changed, etc).  Usually this change is picked up by CA PAM, but sometimes there are issues with that, specifically in cases with users imported from LDAP.  Local users are not affected.

1.  Compare those users in Active Directory with users that import successfully.
2.  Contact Support for the latest User Sync Patch.

The User Sync Patch is applied to the primary machine, with the cluster up and a reboot is not necessary.