Why does JIRA remove users from groups when their AD account is disabled?

I am using the Read Only, with Local Groups configuration for LDAP. When a user is disabled in Microsoft Active Directory, the user's groups are removed from their account in JIRA. The only group that seems to stick is this Jira Users group in the application. The default group membership is a jira-users group in the LDAP configuration. Please advise on why this happens, and what can I do to prevent their removal from groups. Typical scenario is a Leave of Absence.

1 answer

This widget could not be displayed.

That shouldn't happen. Are the AD admins removing groups from users? Or putting the user into some OU not synced by JIRA?

Just deactivating a user account in AD should cause JIRA to mark the user as inactive

Ann Worley Atlassian Team May 24, 2017

I tested disabling a user ("Jeremy Owen") in AD and he stayed in his LDAP groups,  just marked inactive:Screen Shot 2017-05-24 at 9.19.36 AM.png

Sometimes AD admins will move a user to an OU for disabled users and take them out of any security groups. It doesn't impact your local jira-users group because that one is not controlled by LDAP. When the LDAP admin puts them back in the LDAP groups, JIRA should pick up those memberships again.

If users are being re-enabled and JIRA is not pickinhg up their group memberships it may be worthwhile to open a support ticket so Atlassian can take a closer look. An LDIF export of the user from AD and a support zip will help Support get started.

 

Hi Matt and Ann,

Thanks for responding!

@Ann, I have verified our process on disabling users who to on a leave of absence. We do move them to a different OU, 

"Sometimes AD admins will move a user to an OU for disabled users and take them out of any security groups."

The membership to that Jira Users, active directory, group is not removed. So if the user account is moved to a disabled users OU, should that still affect the local user in JIRA? User Schma targets the Jira Users group in a specific OU using the memberOf attribute. Group Schema: (&(objectCategory=Group)(name=Jira Users)). And the member schema uses member and memberOf with both attributes disabled/unchecked.

I should probably open a ticket at this point but if anything obvious stands out, please let me know.

Hi, 

I have the same issue :(

when I start to synchronize manually, all users back to groups.

in log I can find only this:

2018-08-09 15:08:18,604 Caesium-1-2 INFO ServiceRunner     [c.a.crowd.directory.DbCachingRemoteChangeOperations] removed [ 109 ] user members from [ Jira_MGMT ] in [ 1023ms ]

I'm sure that there are no any changes in AD 

Thanks, 

Krzysztof

Suggest an answer

Log in or Sign up to answer
Atlassian Summit 2018

Meet the community IRL

Atlassian Summit is an excellent opportunity for in-person support, training, and networking.

Learn more
Community showcase
Posted 16 hours ago in New to Jira

Are you planning to trial, or are currently trialling Jira Software? - We want to talk to you!

Hello! I'm Rayen, a product manager at Atlassian. My team and I are working hard to improve the trial experience for Jira Software Cloud. We are interested in   talking to 20 people planning t...

42 views 1 0
Join discussion

Atlassian User Groups

Connect with like-minded Atlassian users at free events near you!

Find a group

Connect with like-minded Atlassian users at free events near you!

Find my local user group

Unfortunately there are no AUG chapters near you at the moment.

Start an AUG

You're one step closer to meeting fellow Atlassian users at your local meet up. Learn more about AUGs

Groups near you