Hi,
When I disable a user on my ActiveDirectory, and after jira or confluence does the synchronisation, the user still exists and active in jira and confluence.
My question is: how does Jira/Confluence manage disabled users ? in which cases it deletes/disables the users ?
(btw the users I disable have userAccountControl:66050, and also tried to set them as expired+disabled, but it changes nothing.)
Appreciate your help.
Thank you
If you want the user to disappear from the system you would need to add this to your User Object Filter. This will only sync users that are active in AD.
userAccountControl:1.2.840.113556.1.4.803:=2
If instead you want the user to still exist but not take up a license you would need to make sure they are no longer in a group that has the "can use" permission. So by default that is the conflunce-users group. Move them out of that group and maybe into another group that does not have "can use". Or even just remove them from groups all together so that they do not have "can use".
Hi Davin,
Thank you for the answer.
I've tried this (include only normal account "512" and exclude disabled "2"):
(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))
but it deletes other users that are not disabled on AD, still don't know why only some users was deleted (maybe they are not normal ? an example of userAccountControl that was deleted have 66080 as value). and it even caused a problem when I've added the deleted users, I found that they no longer belong to "jira local groups" where the were before.
I think your second solution, cannot be automatized (at least easily), and I should manually move those disabled users, correct me if I'm wrong.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
This is how mine is set up.
(&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=CN=confluence-users,OU={path},OU={to},OU={org unit},DC={domain},DC={ext}))
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hey,
If you have configured your LDAP directory such as AD appropriately, whenever the user is disabled on AD, it will become disabled on Confluence/Jira, the change will not, however, be instantaneous and only after next synchronisation.
If the user has content created and associated with them, you can and should disable their account instead, to avoid losing access to their content. See Delete or Disable Users
You can delete a user from Confluence if they haven't yet added or edited any content on the site. Content includes pages and blog posts, and edits and comments on existing pages.
If a user has contributed content, you should disable their user account. Disabling a user account won't remove the content they've created.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Hi,
Thank you for the answer.
What do you mean by appropriately ? I have to set filters on my configuration ? or does jira/confluence manage this by default ?
Of course when I disable the user from my AD, I do a synchronisation, but the user in Confluence doesn't change, it remains active. (even if the user cannot authenticate anymore)
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.