Enabling LDAP Read/Write any disadvantages or things to note?

Thanks for your reply, much appreciated :)

But I thought disabled users don't count towards your licence? Our issue is that LDAP is writing users to confluence but isn't then able to tell confluence that the user is now disabled. Thanks for the links I will start looking at them now. Also doesn't deleting the user cause any deletion? I thought best practice was to disable the user?

Disabled users don't count toward the license - is it the case that you have disabled users in AD that show as active in Confluence? This should not be the case unless you are running a version prior to Confluence 5.3, when this was implemented: Provide Confluence support for Active Directory's "Account Disabled" flag

For context purposes we are on 5.1 we want to upgrade and are working with a third party to do this. But they are charging us a licence fee for a 2000 user licence. Do you have any tips or ideas on how we can fix our user/licence issue before we upgrade?

Thanks so much for your help.

Yes, AD is like a file system directory but instead of files it has users and computers and instead of folders, it has containers, like Organizational Units or "OU"s. If you set the base where Confluence starts looking for users to a limited scope by using a Base DN that is not at the top of the directory, but rather down further in the directory tree, so it includes fewer people, that will help.

Another way to make sure only the users you want are counted against the license is to define an LDAP filter. Details of both strategies are on this page: How to change the number of users synchronized from LDAP to Confluence

Yet a third approach is to make sure the disabled users are not in any groups with global permission to use Confluence.

We have  multiple regions and would need to specify each OU.

Region1/Region2/Region3/Region4 is there a way to do this? Or is there a way to exempt an OU or OUs?

Thanks,