OpenLDAP has a nice "feature" that allows for group members to continue to exist, even if the user does not exist any more. Really handy! Problem is, if you, say, have a user in the "Domain Admins" group, and you delete that account, and then some normal user comes along with the same username, they will end up with unexpected elevated privileges.
So I created a script that I run weekly that finds group members that no longer exist, and sends me a report. It also tells me which groups are empty.
This relies on my toolbox... Find it here.