we had a similar challenge at one customer and removal of colleagues even from groups (and degrading them from domain admins to normal users) led to some struggle, because their users were used in Workflows and execution was no longer possible.
You might want to check the resources that are affected by this user. This could be possible by retrieving affected resources via API.
If the user or the credentials of this user are also used in python processors or such, it might become a bit more difficult though.
There should be an option to change a resource owner via the API, so maybe also this could be an option to actively assign the resources to someone else before removing the user.
Apart from that I think it does not make a big difference if you remove the user from the domain, set it inactive or delete it.
If you “only” want to prevent a person to login anymore, you could also simply reset the password of the user, which should not affect the resources and rights in OD.
Hope this helps.