If you don't want CUCM to sync your entire LDAP directory, you will need to use a LDAP Custom Filter. This filter can be used to sync based on AD Security Group. The filter is:
(&(objectclass=user)(!(objectclass=Computer))(!(UserAccountControl:1.2.840.1135188.8.131.523:=2)) (memberOf=CN=Demo Security Group,OU=SecondOU,OU=FirstOU,DC=DomainName,DC=com))
With this example, the name of my AD Security Group is: Demo Security Group. Then, you must specify the entire LDAP location string of that security group. My example would be:
----Demo Security Group
This will allow you to only sync users to CUCM that are members of the Demo Security Group.