Why does JIRA remove users from groups when their AD account is disabled?

I am using the Read Only, with Local Groups configuration for LDAP. When a user is disabled in Microsoft Active Directory, the user's groups are removed from their account in JIRA. The only group that seems to stick is this Jira Users group in the application. The default group membership is a jira-users group in the LDAP configuration. Please advise on why this happens, and what can I do to prevent their removal from groups. Typical scenario is a Leave of Absence.

1 answer

0 vote

That shouldn't happen. Are the AD admins removing groups from users? Or putting the user into some OU not synced by JIRA?

Just deactivating a user account in AD should cause JIRA to mark the user as inactive

Ann Worley Atlassian Team May 24, 2017

I tested disabling a user ("Jeremy Owen") in AD and he stayed in his LDAP groups,  just marked inactive:Screen Shot 2017-05-24 at 9.19.36 AM.png

Sometimes AD admins will move a user to an OU for disabled users and take them out of any security groups. It doesn't impact your local jira-users group because that one is not controlled by LDAP. When the LDAP admin puts them back in the LDAP groups, JIRA should pick up those memberships again.

If users are being re-enabled and JIRA is not pickinhg up their group memberships it may be worthwhile to open a support ticket so Atlassian can take a closer look. An LDIF export of the user from AD and a support zip will help Support get started.

 

Hi Matt and Ann,

Thanks for responding!

@Ann, I have verified our process on disabling users who to on a leave of absence. We do move them to a different OU, 

"Sometimes AD admins will move a user to an OU for disabled users and take them out of any security groups."

The membership to that Jira Users, active directory, group is not removed. So if the user account is moved to a disabled users OU, should that still affect the local user in JIRA? User Schma targets the Jira Users group in a specific OU using the memberOf attribute. Group Schema: (&(objectCategory=Group)(name=Jira Users)). And the member schema uses member and memberOf with both attributes disabled/unchecked.

I should probably open a ticket at this point but if anything obvious stands out, please let me know.

Suggest an answer

Log in or Join to answer
Community showcase
Sarah Schuster
Posted Jan 29, 2018 in Jira

What are common themes you've seen across successful & failed Jira Software implementations?

Hey everyone! My name is Sarah Schuster, and I'm a Customer Success Manager in Atlassian specializing in Jira Software Cloud. Over the next few weeks I will be posting discussion topics (8 total) to ...

3,231 views 14 19
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you
Atlassian Team Tour

Join us on the Team Tour

We're bringing product updates and pro tips on teamwork to ten cities around the world.

Save your spot