We are unable to remove 2 users from PAM. We confirmed that the users no longer belong to AD user groups based on an edit of the users in Active Directory, and they do not have any Credential Manager Groups assigned, nor have email self on login enabled, i.e. no configuration in PAM that would block user deletion. At one point the users incorrectly were assigned to an AD group in a different domain and now PAM will not recognize it was removed. We applied the user sync patch, but that did not help either.
Release : Applies to any PAM release
The user editor in AD can be confusing. It may not show membership in cross-domain groups, only membership in groups of the local domain.
This is not a problem with PAM, it only reflects how LDAP import and refresh work. These are done for user groups, not individual users. PAM gets the list of members in a group by querying the group at the time of import or refresh. Editing the user groups in Active Directory showed that the users in fact were in those groups still, which were imported into PAM from the domain the group belongs to.
If the users were left in the cross-domain groups by mistake, work with your AD administrators to get the group memberships removed.