alt Hacker News> It is mostly about ensuring some busy admin doesn't have to inventory every user permission.
So, its a bad authn practice that is maintained to mitigate the impacts of bad authz practices (you make authn less secure when people are intended to be authorized, in the hopes than when they aren't and you haven't cleaned up their permissions, the password expiration will cause authn failures so the fact that their authorization hasn't been revoked won't matter), instead of adopting good authn and authz practices?
Each departments resources are usually preemptively cutoff globally from the redundant employees at the same time for safety reasons. A lot faster than chicken pecking each users group membership, and batched password invalidation.
If the former user had IT administrative and VPN access, it would otherwise take time to figure out who should still be there. It is faster to rotate the whole departments access to auto kick non-participants off the network. Then mop up the specific user logins, and migrate any orphaned user assets into the department share.
Keep in mind >90% of security breaches come from within firms. =3