If you automate this, do not connect to a named domain controller, if your company have multiple - use the load balancer in front. You do not want one single point of failure - been there, done that, and got the t-shirt. The named DC was down, and all users deleted from SMC 🙂
You may also want to look into the 3rd-party plug-ins for 9.4 from Metacoda, and their "Identity Sync": A New Perspective on Your SAS® Metadata – Metacoda
Now we just mark users for deletion while syncing, and do a manual verification before users are removed - you may not want to leave a lot of content "without owner" in your metadata.