That is an AD "feature". If you use AD groups, you can take somebody out of the group and AD will happily repsond that the user is a group member for several hours. You can easily check the AD answer using the squid auth helper. Probably this can be configured on the AD side but I am not an AD freak so I cannot help there.- When we change a password on the Active Directory, squid don't see the change before a lot of hours ...
HTH, J.Curdes
