Release : 11.3.6

Component : WORKLOAD CONTROL CENTER

Component : EEM 

When you point EEM to LDAP and then update a user's details, adjusting their application group membership, that does create an entry in the EEM DB for the user eventhough they are an LDAP user.  Later, even if/when you adjust your EEM LDAP settings such that you may be pointing to a different LDAP those user's details remain in the DB and any policies you would have defined for them or their group membership would also still be active/available.

If you are wanting to remove/disable those users / memberships the best method would be to export the users to an xml file via the EEM UI, make the adjustments to the xml file needed 
and then import it back in via safex

something like:

<?xml version='1.0' encoding='UTF-8' standalone='no'?>
<Safex>
<Attach label="WorkloadAutomationAE"/>
<Modify>
<User folder="/" name="mydomain\\user123">
<GroupMembership mode='delete'>WorkloadAutomationAEWebService</GroupMembership>
</User>
</Modify>
</Safex>

or

<?xml version='1.0' encoding='UTF-8' standalone='no'?>
<Safex>
<Attach label="WorkloadAutomationAE"/>
<Remove>
<User folder="/" name="mydomain\\user123">
</User>
</Remove>
</Safex>

For more safex details see:

https://techdocs.broadcom.com/us/en/ca-enterprise-software/other/Embedded-Entitlements-Manager/12-6/programming/safex-command-line-reference.html