So in AD groups carry the member list attributes. Not the users.

If you rename a user in AD, how does it maintain referentail integrity?
I.e. What makes sure all groups the user is a member of, gets updated
with the new object DN?

Or am I assuming incorrectly, and does AD have a DN like syntax that can
handle this?

The IDM connection is something I never really thought about before, but
was renames of users in AD and group memberships via IDM. Do I have to
handle that myself? Or does AD fix it all up in the background?