We found through trial and error that:
1)
If the client PC is started off-network, then endpoing agent starts but of course is unable to resolve AD information.
2)
When the client PC is then connected to the network, the agent establishes communication with the endforce server.
However, the "AD user group resolution failed" error does not resolve itself. (We expected that the agent would re-try this after it connects to the server.)
The error can be resolved (worked around) by issuing a Restart of the DLP agent.