I don't know how most do this, or the size of the various environments, but what I did at my previous employer was create a group for each year (DenyAccess2008, DenyAccess2009, etc). Then my "DenyAccess" group had current year terminations + my other Groups
- Joe Smith/US/Domain
- Sally Jones/FR/Domain
At the end of each year, I'd copy all the "DenyAccess" names to a new DenyAccessYEAR group and add the new DenyAccessYear to the DenyAccess Group. Of course, I'd not copy any of the DenyAccessYEAR groups to the others, and left those in the primary "DenyAccess" group.
Granted, I only had to work with about 2000 users, but this made it easy to manage year to year. I'm sure you could do this for multiple locations/regions (DenyAccessFR2008, DenyAccessJP2009, yada yada).
Add User in Deny Group List (Meena Ramesh 10.Aug.12)
Feedback response number WEBB8X2QF8 created by Brian Graham on 08/10/2012
. . Size of your environment? (Brian Graham 10.Aug.12)
. . . . Same thing..Problem exits (Meena Ramesh 11.Aug.12)
. . . . . . code it in your agent (raymond neeves 12.Aug.12)