Hi @Mamorim,
If you remove a user from an AD group, you need to wait for a refresh which takes, in the default configuration, 6 hours. In order to configure this to happen quicker, look at the following configuration in the same xwiki.cfg file:
#-# Time in s after which the list of members in a group is refreshed from LDAP
#-# The default is 21600 (6 hours)
# xwiki.authentication.ldap.groupcache_expiration=21600
Hope it helps,
Alex