Create
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Sign up Log in
Products
See all
Community resources
Top groups
Explore all groups
Community resources
Learn
Community resources
Events
Community resources

Disabled users in ActiveDirectory still active on confluence/jira

Yahya M
Yahya M March 8, 2018

Hi,

When I disable a user on my ActiveDirectory, and after jira or confluence does the synchronisation, the user still exists and active in jira and confluence.

My question is: how does Jira/Confluence manage disabled users ? in which cases it deletes/disables the users ?

(btw the users I disable have userAccountControl:66050, and also tried to set them as expired+disabled, but it changes nothing.)

Appreciate your help.

 

Thank you

Answer
Watch
Like Be the first to like this
4371 views

2 answers

0 votes
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 8, 2018

If you want the user to disappear from the system you would need to add this to your User Object Filter. This will only sync users that are active in AD.

userAccountControl:1.2.840.113556.1.4.803:=2

If instead you want the user to still exist but not take up a license you would need to make sure they are no longer in a group that has the "can use" permission. So by default that is the conflunce-users group. Move them out of that group and maybe into another group that does not have "can use". Or even just remove them from groups all together so that they do not have "can use".

View More Comments
Yahya M
Yahya M March 9, 2018

Hi Davin,

Thank you for the answer.

I've tried this (include only normal account "512" and exclude disabled "2"): 

(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=512)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

 but it deletes other users that are not disabled on AD, still don't know why only some users was deleted (maybe they are not normal ? an example of userAccountControl that was deleted have 66080 as value). and it even caused a problem when I've added the deleted users, I found that they no longer belong to "jira local groups" where the were before.

I think your second solution, cannot be automatized (at least easily), and I should manually move those disabled users, correct me if I'm wrong.

Like
Davin Studer
Davin Studer
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
Get recognized
March 9, 2018

This is how mine is set up.

(&(objectCategory=Person)(!(userAccountControl:1.2.840.113556.1.4.803:=2))(memberOf=CN=confluence-users,OU={path},OU={to},OU={org unit},DC={domain},DC={ext}))
Like
Reply
0 votes
Igor M_
Igor M.
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
March 8, 2018

Hey,

If you have configured your LDAP directory such as AD appropriately, whenever the user is disabled on AD, it will become disabled on Confluence/Jira, the change will not, however, be instantaneous and only after next synchronisation.

If the user has content created and associated with them, you can and should disable their account instead, to avoid losing access to their content. See Delete or Disable Users

You can delete a user from Confluence if they haven't yet added or edited any content on the site. Content includes pages and blog posts, and edits and comments on existing pages.

If a user has contributed content, you should disable their user account. Disabling a user account won't remove the content they've created.

View More Comments
Yahya M
Yahya M March 8, 2018

Hi,

Thank you for the answer.

What do you mean by appropriately ? I have to set filters on my configuration ? or does jira/confluence manage this by default ?

Of course when I disable the user from my AD, I do a synchronisation, but the user in Confluence doesn't change, it remains active. (even if the user cannot authenticate anymore)

Like # people like this
Reply

Suggest an answer

Log in or Sign up to answer
Confluence
Confluence
TAGS
AUG Leaders

Atlassian Community Events

    See all events