Removing members of CA Identity Manager (IM) provisioning roles can delete Active Directory  accounts. This can be seen in log entries like the one below.

Global User 'userA' synchronized for deletions with existing provisioning roles successfully: (accounts deleted: 0, suspended: 0, updated: 0, re-created: 0, failures: 0)
Global User 'userB' synchronized for deletions with existing provisioning roles successfully: (accounts deleted: 1, suspended: 0, updated: 0, re-created: 0, failures: 0)
Global User 'userC' synchronized for deletions with existing provisioning roles successfully: (accounts deleted: 1, suspended: 0, updated: 0, re-created: 0, failures: 0)

Release : 14.x

Component : IdentityMinder(Identity Manager)

If you remove all the account templates associated with a specific endpoint from a user account, Identity Manager will try to remove the provisioning role from IDM and then delete the user account.  This is  because there is sync from the provisioning role to the account template and if there is no account template associated with account on the same endpoint it will be deleted. 

If there are multiple account templates associated with an account and you remove only one account template from the endpoint, it will remove the provisioning role associated with the removed account template but it will not delete the account as the global user has other account template and associated provisioning role on the same endpoint