How to Exclude Active Directory Default Domain Groups from Confluence

Related content

  • No related content found

Still need help?

The Atlassian Community is here for you.

Ask the community

Use Case

When using Microsoft Active Directory, you may wish to filter out the default groups - such as Domain Admins, and Cert Publishers. These are default groups in Active Directory, and depending on your requirements, it may difficult or impossible to write a filter that excludes them all. Instead, you can filter objects by ignoring any that have the isCriticalSystemObject property set on them.

This also applies to any product where you can specify an LDAP filter - in this particular example, we're using Confluence.

Resolution

You should perform these tests in a test environment first - that way, you don't accidentally lock your users out of Confluence

  • Log into Confluence as an Administrator from the local directory (this is so you can make changes to the Active Directory

  • In Confluence Administration, click "User Directories"

  • Next to your Active Directory, click "Edit"

  • Click "Group Schema Settings" to expand those settings

  • The default Group Filter is:

    (objectCategory=Group)

  • Change it to the following:

    (&(objectCategory=Group)(!(isCriticalSystemObject=TRUE)))

    (info) You may need to adjust this filter further, depending on your particular configuration and goals.

  • This will match any object that is a group, and does not have the isCriticalSystemObject property set to true.
  • Save the changes, and perform a sync - the groups should no longer be present in the Groups screen of Confluence
Last modified on Feb 26, 2016

Was this helpful?

Yes
No
Provide feedback about this article

Related content

  • No related content found
Powered by Confluence and Scroll Viewport.