The web server must disable accounts when the accounts are no longer associated to a user.

Disabling expired, inactive, or otherwise anomalous accounts supports the concepts of least privilege and least functionality which reduce the attack surface of the system.