Symptoms for this will be users are unable to log in to the registered application - but this can be sporadic.
Searching for the user in EEM will show two users - one under a folder named Orphaned Users, and one where you would normally expect to see the user in the LDAP hierarchy.
To remove an orphaned user and re-establish login capabilities for the end user, do the following:
1. Log into EEM as EiamAdmin, selecting the registered application (Service Catalog for example) and not Global from the Application drop down menu on the login screen
2. Select the Manage Identities tab and under 'Search Users' click the radio button for 'Application User Details', enter the userID in the search text box and click Go.
3. This should return the orphaned user - select that username that is presented in the Orphaned Users folder, and on the far right click on the "Remove application user details" button and save.
4. To reset this user correctly, still in Search Users area, click the radio button for 'Global Users', and the userID in the search text box and click Go.
5. Select the user returned in the result and click the 'Add application user details' button and save.
You will now have the user as it is meant to be with a single entry in the LDAP hierarchy location. The orphaned users folder should no longer exist.