Why does JIRA remove users from groups when their AD account is disabled?

Aram Ghanimian May 23, 2017

I am using the Read Only, with Local Groups configuration for LDAP. When a user is disabled in Microsoft Active Directory, the user's groups are removed from their account in JIRA. The only group that seems to stick is this Jira Users group in the application. The default group membership is a jira-users group in the LDAP configuration. Please advise on why this happens, and what can I do to prevent their removal from groups. Typical scenario is a Leave of Absence.

1 answer

0 votes
MattS
Rising Star
Rising Star
Rising Stars are recognized for providing high-quality answers to other users. Rising Stars receive a certificate of achievement and are on the path to becoming Community Leaders.
May 23, 2017

That shouldn't happen. Are the AD admins removing groups from users? Or putting the user into some OU not synced by JIRA?

Just deactivating a user account in AD should cause JIRA to mark the user as inactive

AnnWorley
Atlassian Team
Atlassian Team members are employees working across the company in a wide variety of roles.
May 24, 2017

I tested disabling a user ("Jeremy Owen") in AD and he stayed in his LDAP groups,  just marked inactive:Screen Shot 2017-05-24 at 9.19.36 AM.png

Sometimes AD admins will move a user to an OU for disabled users and take them out of any security groups. It doesn't impact your local jira-users group because that one is not controlled by LDAP. When the LDAP admin puts them back in the LDAP groups, JIRA should pick up those memberships again.

If users are being re-enabled and JIRA is not pickinhg up their group memberships it may be worthwhile to open a support ticket so Atlassian can take a closer look. An LDIF export of the user from AD and a support zip will help Support get started.

 

Aram Ghanimian May 25, 2017

Hi Matt and Ann,

Thanks for responding!

@Ann, I have verified our process on disabling users who to on a leave of absence. We do move them to a different OU, 

"Sometimes AD admins will move a user to an OU for disabled users and take them out of any security groups."

The membership to that Jira Users, active directory, group is not removed. So if the user account is moved to a disabled users OU, should that still affect the local user in JIRA? User Schma targets the Jira Users group in a specific OU using the memberOf attribute. Group Schema: (&(objectCategory=Group)(name=Jira Users)). And the member schema uses member and memberOf with both attributes disabled/unchecked.

I should probably open a ticket at this point but if anything obvious stands out, please let me know.

Krzysztof Hotiuk August 9, 2018

Hi, 

I have the same issue :(

when I start to synchronize manually, all users back to groups.

in log I can find only this:

2018-08-09 15:08:18,604 Caesium-1-2 INFO ServiceRunner     [c.a.crowd.directory.DbCachingRemoteChangeOperations] removed [ 109 ] user members from [ Jira_MGMT ] in [ 1023ms ]

I'm sure that there are no any changes in AD 

Thanks, 

Krzysztof

Suggest an answer

Log in or Sign up to answer