Ok, here's the process, but you need to be clear about the difference between
SharePoint users used for security and Profiles. They are related, but not the
same thing.
First Profiles.
1. Moss is setup to import all the users in your AD domain as profiles
into the SSP that you create. However, this action is not scheduled. Profiles
will not be imported until you either do a manual import or setup the schedule
for Full and incremental imports. This imparts no security rights to the user
at all.
2. After the profiles have been imported. If a user is deleted in AD then
after 3 successive full profile imports there profile will be deleted also. If
deactivated their MySite will be cleaned up, but not their profile.
Authentication/Authorization (Assuming you are not using any kind of Forms Based
Authentication)
1. SharePoint depends on Windows Authentication via IIS to establish the
user's identity. (this happens completely external to SharePoint)
2. SharePoint checks the user's AD identity and group membership, as
established in #1, to see what the user has the ability to do in SharePoint.
You can successfully authenticate and still not gain access to SharePoint.
3. Security Access in SharePoint is dependent on the AD identity or an AD
group of which the user is a member being added as a SharePoint user. Or the
user or group may be added directly to a SharePoint group. This will allow the
user to gain access to SharePoint resources.
4. If the access is through group membership then the user's identity will
only be added to SharePoint when the user logs in and submits something to a
document library or list. This adds their identity as a user, but doesn't
directly re-associate them with specific rights. The rights are still gained
through group membership. But they would now show up in the People and Groups
list.
5. If the user's account is deactivated or deleted in AD their account in
SharePoint is NOT deleted, but they won't be able to use it to access SharePoint
anymore because AD won't be able to authenticate them so they'll never get to
Authorization. If deactivated, you will still be able to click on their name
attached to documents or list items and see their profile. If deleted clicking
on these items will normally lead to an error page because the profile isn't
there anymore.
6. Removing SharePoint users can be done programmatically, but it is a
fairly involved process requiring walking each object in the FARM and looking
for the user entries. There are 3rd party products that do this, but I don't
normally recommend using them since you are destroying the history of the user
in the system.
My normal recommendation is to deactivate users in AD, but let them stay in
SharePoint. Once deactivated they won't be able to login, but history of their
usage of the system will remain intact.
BTW, I'm giving a talk on this very subject at the Best Practices Conference in
August. It's actually even more involved than what I've listed above. Click on
the link in my signature line to see more about the conference.