Confluence AD sync keeping users in group that are no longer members


our Confluence instance is connected to our AD, authorizing all users of the group "wiki", which inherits its users fromthe group "IT-Admins". Before the "wiki" group inherited its users from the group "IT1". Although multiple resyncs have been done, according to confluence The group "wiki" still contains all users from "IT1".

"wiki" only inherits users from "IT-Admins", which itself contains no other groups, only 7 Users. "IT1" contains 11 Users, spread to multiple groups and thus exceeding our license.

1 answer

1 accepted

0 votes
Accepted answer
Ann Worley Atlassian Team Jan 22, 2018

Hi Tobias,

I understand you are using an LDAP (AD) directory for user management for your Confluence server instance. The wiki  group in AD (group used to manage permission to use Confluence) now contains only the IT-Admins group but formerly contained the IT1 group. The IT1 group members are still appearing as members of the wiki group in Confluence. You manually synchronized the AD User Directory in Confluence but the IT1 group members still appear as members of wiki in Confluence.

My first suggestion is:

  1. Make sure incremental syncronisation is disabled in the LDAP user directory in Confluence. The checkbox is under the Advanced Settings which are collapsed by default. Connecting to an LDAP Directory describes all the settings and what they are for.
  2. Synchronize again after disabling incremental sync.
  3. Check the group memberships again

Secondly, I recommend eliminating the possibility that the wiki group members that are not in IT1 are maybe in a different user directory in Confluence and appearing as members of wiki because of aggregating group memberships. Please see Permissions on Managing Multiple Directories.

I look forward to hearing whether the group memberships update as expected after disabling incremental synchronization, and to any other results of your investigation.



Hi Ann,

thanks for your reply

I checked the points you mentioned above without any change.

But I found that removing the extra domain filters for users and groups fixed the issue although I have no idea how. All users and groups in the setup were beneath the set subdomains.

Ann Worley Atlassian Team Jan 23, 2018

Hi Tobias,

That is great news to hear the group memberships synchronized properly at last. I can only speculate that synchronizing from the base DN without the additional group and user DNs forced the cache to refresh.

If your base DN is set to the top of the Active Directory, and you don't have the additional group and user DNs, you could run into: Some users are unable to login due to Active Directory 'follow referrals' configuration Please consider connecting to the AD global catalog server if you are not already: How do I search from Active Directory's global catalog?



Suggest an answer

Log in or Sign up to answer
Community showcase
Posted Feb 06, 2019 in Confluence

Try out the new editing experience

Hi team, I’m Avinoam, a product manager on Confluence Cloud, and today I’m really excited to let the Community know that all customers can now try out the new editing experience and see some of the ...

1,028 views 51 8
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you