What is the question, because I'm not able to understanding exactly the question. Anyway I will try to explain the OpenKM behaviour with AD.
OpenKM login with AD in real time, that means login needs access to AD. When the user login into OpenKM it has some roles, althought you change after, will not take any effect, because user always ( from database or AD ) use the groups what have at the exact time you are login.
About user and roles list what are shown into OpenKM from AD, these list are cached and refreshed automaticaly ( usually each 30 minutes, but period might change ), if you want to refresh it, you should go Administration > Tools > Cache stats and refresh them ( click reset at top right to clean everything, is the easiest way ).