(See JCLI-178 for a report of this against JCLI).
The JCLI action "removeUser":

• uses SOAP api: deleteUser(token, userId)
• has source: https://bitbucket.org/bob_swift/jira-cli/src/d0d975d4b210/src/main/java/org/swift/jira/cli/JiraUserHelper.java

Given:

• using jira internal directory (embedded Crowd, i.e. tables cwd_user, cwd_membership etc)
• the appropriate constraints are satisfied (user is not reporter, assignee nor project lead)

Result:

• the user is removed from cwd_user
• stray records remain in cwd_membership, check with this query:

  SELECT * FROM cwd_membership where not exists (select * from cwd_user where id=child_id)

• If later the same user_name is created, it magically appears in the stray groups and cannot be removed from them
  • Jira and JCLI think the operation succeeds, but it has no effect
  • if jira-users is one of these groups, the user can login even before he's officially added to jira-users

Analysis:

• normally there are two relations cwd_user.id=cwd_membership.child_id and cwd_user.user_name=cwd_membership.child_name, but in this case only the latter holds. child_id is in effect a hanging FK without PK
• given JRA-13915, guess it's possible that other stray records are left behind
• IMHO this is also a CWD bug: no matter how called, it should uphold referential integrity