We have a complex HR workflow where Supervisors are granted access to their direct reports' folders.  These permission are reset on occasion, because an employee moved, or because the Supervisor moved to a different area.  Let's call the supervisor Pointy Hair from now on.

In the first part of this rule, we remove Pointy Hair's permissions for all their direct report folders. This is done via an ACL search. This returns the correct list, whether or not Pointy Hair is still in the Active Directory.

Once we have that list, we remove the permissions and re-apply them as needed.

As a check, we added a Find User task so that if the user is not found, we don't bother resetting permissions. When a user is removed from AD, all permissions for that user seem to be removed auto-magically.

But...even though we can find folders where Pointy Hair has access, the Find User task itself fails.  This is true whether we reference the repository as a source or the Active Directory itself. Here is what it looks like:

When we go to one of the folders there is no left over SID in Access Rights. 

Our expectation for the Find User task was that this condition would be returned as False: (Ignore True below, our do nothing branch is the other one)

So on one hand we can search for permissions for a non-existent user, and on the other, we don't have a test to see if the user is in AD.  Instead of failing, shouldn't the Find User task just return False?