After removing a user from the trusted AD domain from an external IPA group, e.g. with a command similar to
ipa group-remove-member test_group_ext --external administrator@samba.test
the group-memberships of the user are not removed from the groups the external group is a member of even after the cached entry if the user is expired.

The trigger to reproduce the issue is to disable the tokengroups lookup by setting ldap_use_tokengroups = False and making sure the this options is inherited by the SSSD sub-domains by setting subdomain_inherit = ldap_use_tokengroups.