Core issue
Users are still present in the Access Control Server (ACS) after removal from the Active Directory (AD).
Resolution
Cisco Secure ACS for Windows always checks AD for a username and password combination. This is the only change that ACS ever recognizes from AD. For example, if a user account becomes invalid on AD, ACS queries AD upon a new authentication and AD responds with a Fail message.
For more information, refer to the Windows Authentication of Unknown Users section of Cisco Secure ACS for Windows version 3.3 User Guide: Unknown User Policy.
Users cannot apply a specific Network Access Restriction (NAR) to any AD user authenticated using Cisco Secure ACS for Windows. However, you can use the group mapping feature of Cisco Secure ACS for Windows to apply a specific NAR to any AD user authenticated with Cisco Secure ACS for Windows.
For more information, refer to NAC Group Mapping section of Cisco Secure ACS for Windows version 3.3 User Guide: User Group Mapping and Specification.