When logging into vCenter and navigating to  vCenter Administration → Single Sign On → Users and Groups, and then selecting the Active Directory domain associated with vCenter, more users appear in the list of users than have access to vCenter.

Attempt to delete these users may result in a failure message: "Principle name not found"

VMware vCenter Server

This is expected behavior.

When you add the Active Directory identity source to vCenter Server, vCenter Server joins the Active Directory Domain. This involves configuring the vCenter server to recognize and authenticate against your AD domain. With AD as an identity source, vCenter Server can pull all users and groups from AD and use them to log in to vSphere and access resources.

All the users from the Active Directory will show up under the vCenter Administration → Single Sign On → Users and Groups → Active Directory Domain Name

By default, all of these users will not be able to log into vCenter. You must assign permissions to AD users and groups in order for them to access vCenter resources.