I had a user in the AD which was removed. The user is still in episerver though. Shouldn't it be removed from episerver (tblSynchedUser?) when it is removed from AD?
You probably need to use the LDAP provider to get that behaviour.
The only sync that occurs (I think) is for the roles when user calls Validate() or when user or someone else calls GetRolesForUser().
'LDAP provider' Which provider is that?
When I look at a user in epiadmin, the GetRoles method should run I would guess. That didn't update the user though.
The one called ActiveDirectory*Provider. It's mentioned here with some small adjustments that are good to do: https://dev.solita.fi/episerver/2016/01/08/active-directory-integration-with-episerver.html
Looking again it looks like GetRolesForUser is only re-synch'ing if it's the current user calling it with current user's username as input and that call is not cached.
Otherwise you will just get the data from tblSynched*.