If you remove a user from your LDAP directory, Splunk Enterprise does not automatically remove the corresponding Splunk user. While this is rarely a problem, if the user has global permissions of any sort, LDAP might generate errors.

Take the following steps to safely remove a Splunk user:

1. Back up the $HOME/splunk/etc/users/$userid folder.
2. Search the files under $HOME/splunk/etc/apps/ for the user ID string to see if the user owns any searches or objects with global permissions.
3. For any searches or objects that the user owns, change the owner. You can change it any other valid user.
4. On search heads, review splunkd.log to confirm there are no LDAP authentication errors associated with the user.
5. Once you have redirected object ownership, you can safely remove the $HOME/splunk/etc/users/$userid folder.