Each departments resources are usually preemptively cutoff globally from the redundant employees at the same time for safety reasons. A lot faster than chicken pecking each users group membership, and batched password invalidation.

If the former user had IT administrative and VPN access, it would otherwise take time to figure out who should still be there. It is faster to rotate the whole departments access to auto kick non-participants off the network. Then mop up the specific user logins, and migrate any orphaned user assets into the department share.

Keep in mind >90% of security breaches come from within firms. =3