Active Directory objects can be used to create security groups based on user identity, and identity-based firewall rules.
To enable selective sync, use domain create/update API with selective sync enabled, and a list of selected Organization Units (OUs). When selective sync is enabled, NSX-T only synchronizes the AD data inside the selected OUs. During a selective delta sync, only the Acitve Directory data which is inside the selected OUs and has been created or changed since last sync are updated. If any directory-groups are removed from the selected OUs, they will not be updated during a selective delta sync. They will be updated during a full sync when all directory groups are updated. For more information, see the NSX-T Data Center API Guide.
If you use the API to manually end a full sync after it is has begun, the sync stats will not be updated correctly.