An LDAP group had been imported to PAM. When the group was deleted, one of the users in the group remained behind in PAM w/o group association. Because it's an LDAP imported user, it cannot be deleted manually. There was no error when the user group was deleted.
Observed on PAM 3.1.1 but the same issue will appear on older PAM releases as well.
One user on the appliance has its "Email on Login" set to be the user which can't be removed from PAM .
Remove the "Email on Login" references (screen shot below) for all users in the group before deleting the LDAP group.
Importing the same user LDAP group again will bring user back to PAM. This issue has been fixed in the PAM 3.2 release. If one of the users in the LDAP group was configured as "Email on Login" for some other user, PAM will no longer delete the group and will show an error message similar to the following:
Error: PAM-UI-2404: Error deleting group. A user in the user group CN=Group Policy Creator Owners,CN=Users,DC=pam,DC=local could not be deleted, so the group was not deleted. See session logs for details.