Evan,

Here is some PowerShell code we use to perform the aforementioned functions. Our terminated user objects are moved to a specific OU, and then the following code is run against that target. We have it set to run multiple times per day as a scheduled task.

Hope this helps.

#########################################################
# PowerShell - Remove all users from defined group(s)	#
#	                                                #
# By - Kevin D. Butler - 02 January 2019                #
#########################################################
#
# Notes:
#
# Removes specified AD security group memebership from all user accounts defined in the "Get-ADUser -Searchbase" targeted OU and subordinate OU's if present
#
import-module activedirectory
Get-ADUser -SearchBase "OU=Terminated Employees,DC=your,DC=org" -Filter * | ForEach-Object {Remove-ADGroupMember -Identity "DuoUserGroup1" -Members $_ -Confirm:$false }
Get-ADUser -SearchBase "OU=Terminated Employees,DC=your,DC=org" -Filter * | ForEach-Object {Remove-ADGroupMember -Identity "DuoUserGroup2" -Members $_ -Confirm:$false }
Get-ADUser -SearchBase "OU=Terminated Employees,DC=your,DC=org" -Filter * | ForEach-Object {Remove-ADGroupMember -Identity "DuoUserGroup2" -Members $_ -Confirm:$false }
#
#################
# End Of Script #
#################