regarding sync: alfresco has a default sync schedule. It'll sync against LDAP once a day. You can change the sync schedule. Below syncs at midnight. I have other installations where the sync is every hour. If the LDAP tree is large, you can do a differential sync. If it's small, even a full sync every hour isn't onerous. If it's very large (e.g., several thousand) then once a day with sync on logon-attempt is an option.
synchronization.import.cron=0 0 0 * * ?
when a user is created or deleted in AD, alfresco will see those changes at sync (depends on your sync schedule) and also on whether your alfresco is configured to autocreate people on logon. so depending on your sync schedule, it may take up to 24 hours (if you do the change at 23:59 🙂 for the change to be seen by alfresco. but as noted above, other ldap and sync settings can modify this behavior.
regarding going back and modifying your search base or filters, if using the community edition you'd need to restart alfresco when you make those changes so that alfresco will pick up the changes. My understanding is that you can make those changes online in Enterprise edition, not restart needed (but I don't have EE, just going by the documentation).
regarding changing the filter and what happens to other users and groups that are no longer in the filter, you can configure the behavior by setting synchronization.allowDeletions. set it to true to delete users and groups that no longer match your person and group queries (filters). false otherwise.
synchronization.allowDeletions=true
