Sorry, I should clarify what I mean by:
when I removed this external group the users retained their Admin group even after deleting the SSSD cache completely on the server/client and restarting SSD
When running the id command for any affected user it still showed membership of the admin group, and the users could login to any system where a HBAC rule is configured to permit access to the Admin group only.
I should also note that I am running FreeIPA 4.9.8 in the freeipa-server:rocky-8-4.9.8 container