Users that are no longer in the group in the "Allow Active Directory authentication only to certain group" configuration option of the active directory application should be deactivated, similar to users that are deactivated in LDAP.
This will probably require a new feature in the LDAP user cleanup extension.
I added a new configuration parameter to the user cleanup job. Setting it to yes will delete the users that are not part of the included groups and that are part of the excluded groups.
Users that are no longer in the group in the "Allow Active Directory authentication only to certain group" configuration option of the active directory application should be deactivated, similar to users that are deactivated in LDAP.
This will probably require a new feature in the LDAP user cleanup extension.