If you have named users who have been removed from an ad group, he won't have access to group content but still has valid named user account. Is there a way to delete his named user account automatically once he is dropped from the ad group?
I guess that is not possible yet.
http://server.arcgis.com/en/portal/latest/administer/windows/manage-members.htm
If a member is deleted directly from the identity store, the member is retained in the portal. You will need to delete the member manually in the portal.
But I believe you can script the user removal with Python.
The PortalPy library on Github I believe has the tools for doing this.
And I would imagine that ArcPython (in beta) will have similar functionality.
The ArcREST library might also help.
When I say script it, I mean you could have a python script that you could pass the user name to and have it remove the user.
That's quasi-automated in my mind.
Somehow to fully automate, you have to get AD to trigger a function or maybe you could hook to AD and watch the groups and when a name drops off, auto remove it or ... I have not worked with AD in python but this lib looks pretty simple:
Tim Golden's Python Stuff: Active Directory Cookbook
or
ldap-groups 2.5.3 : Python Package Index
That would mean keeping a table of groups in a file and users in the groups (basically duplicating the AD tree for the groups you are enabling in Portal) and running a nightly or weekly process to watch for changes.
Maybe the PortalAdmin tools from GeoJobe have something?