The user receives his/her security token at logon. The security token contains information regarding the user’s group membership and other rights.
If you add or remove a user to/from a particular group, then that user needs to receive a new token in order take advantage of the group membership. This process only occurs at logon. It cannot happen “on the fly.”