If we can have Foreman auto-create accounts from AD it seems logical that removal from AD would also remove the account from Foreman. This doesn't happen though. It seems that the design of the AD integration with Foreman doesn't account for this, which makes it painful for account management. The process as it is today to remove a user from Foreman is:
1. Remove from AD.
2. Re-assign any host ownership to someone else because Foreman won't let you remove an account if it owns a host.
3. Remove the account from Foreman.