When syncing an LDAP directory with Active Directory using incremental sync, user and group checks on periodic sync will properly respect the uSNChanged attribute and only make needed changes. However, even if AbstractCacheRefresher.synchroniseMemberships() returns an empty list, the connector will still query LDAP for all of the groups and check memberships as per a full sync, which can be very expensive in large ADs that depend on incremental syncs for performance.