Thanks for the script John.
I noticed that @AcctName is not populated at any stage of the script, so the 0x534 logic will not work correctly.
Also, AD accounts and groups can be renamed, so a group may not have a matching name from AD, but the AD group SID still matches the SQL AD group name.
eg. GRP-ApplicationNameV001 is renamed to GRP-ApplicationNameV002 in AD, SQL still contains V001 and authentication continues to work. The script will detect this as an orphaned AD group and delete it.