diff --git a/keystone/assignment/core.py b/keystone/assignment/core.py
index e5d4f9d83c..314163d302 100644
--- a/keystone/assignment/core.py
+++ b/keystone/assignment/core.py
@@ -566,8 +566,7 @@ class Manager(manager.Manager):
             try:
                 # NOTE(morganfainberg): The user ids are the important part
                 # for invalidating tokens below, so extract them here.
-                for user in self.identity_api.list_users_in_group(group_id,
-                                                                  domain_id):
+                for user in self.identity_api.list_users_in_group(group_id):
                     if user['id'] != user_id:
                         self._emit_invalidate_user_token_persistence(
                             user['id'])
diff --git a/keystone/tests/test_backend_ldap.py b/keystone/tests/test_backend_ldap.py
index b145a230a9..aef7ca7c10 100644
--- a/keystone/tests/test_backend_ldap.py
+++ b/keystone/tests/test_backend_ldap.py
@@ -1962,6 +1962,47 @@ class LdapIdentitySqlAssignment(BaseLDAPIdentity, tests.SQLDriverOverrides,
                           domain['id'],
                           domain)
 
+    def test_get_and_remove_role_grant_by_group_and_domain(self):
+        # TODO(henry-nash): We should really rewrite the tests in test_backend
+        # to be more flexible as to where the domains are sourced from, so
+        # that we would not need to override such tests here. This is raised
+        # as bug 1373865.
+        new_domain = self._get_domain_fixture()
+        new_group = {'domain_id': new_domain['id'], 'name': uuid.uuid4().hex}
+        new_group = self.identity_api.create_group(new_group)
+        new_user = {'name': 'new_user', 'password': uuid.uuid4().hex,
+                    'enabled': True, 'domain_id': new_domain['id']}
+        new_user = self.identity_api.create_user(new_user)
+        self.identity_api.add_user_to_group(new_user['id'],
+                                            new_group['id'])
+
+        roles_ref = self.assignment_api.list_grants(
+            group_id=new_group['id'],
+            domain_id=new_domain['id'])
+        self.assertEqual(0, len(roles_ref))
+
+        self.assignment_api.create_grant(group_id=new_group['id'],
+                                         domain_id=new_domain['id'],
+                                         role_id='member')
+
+        roles_ref = self.assignment_api.list_grants(
+            group_id=new_group['id'],
+            domain_id=new_domain['id'])
+        self.assertDictEqual(roles_ref[0], self.role_member)
+
+        self.assignment_api.delete_grant(group_id=new_group['id'],
+                                         domain_id=new_domain['id'],
+                                         role_id='member')
+        roles_ref = self.assignment_api.list_grants(
+            group_id=new_group['id'],
+            domain_id=new_domain['id'])
+        self.assertEqual(0, len(roles_ref))
+        self.assertRaises(exception.NotFound,
+                          self.assignment_api.delete_grant,
+                          group_id=new_group['id'],
+                          domain_id=new_domain['id'],
+                          role_id='member')
+
 
 class LdapIdentitySqlAssignmentWithMapping(LdapIdentitySqlAssignment):
     """Class to test mapping of default LDAP backend.