If a new (to Confluence) user logs in during a directory synchronisation, the synchronisation will detect duplicate users or memberships, and all users/memberships that would have been added in the same batch are dropped. For regular LDAP, this problem will resolve itself on the next synchronisation attempt. However, for Active Directory, most synchronisations are incremental, so they won't be discovered until the next full synchronisation is run. Right now, the only way to trigger a full synchronisation for Active Directory is by restarting Confluence.

This should be fixed so that the batch processor will fall back correctly to processing individual records when a batch fails, so that only the actual duplicates are rejected.