I tested disabling a user ("Jeremy Owen") in AD and he stayed in his LDAP groups,  just marked inactive:

Sometimes AD admins will move a user to an OU for disabled users and take them out of any security groups. It doesn't impact your local jira-users group because that one is not controlled by LDAP. When the LDAP admin puts them back in the LDAP groups, JIRA should pick up those memberships again.

If users are being re-enabled and JIRA is not pickinhg up their group memberships it may be worthwhile to open a support ticket so Atlassian can take a closer look. An LDIF export of the user from AD and a support zip will help Support get started.

Hi Matt and Ann,

Thanks for responding!

@Ann, I have verified our process on disabling users who to on a leave of absence. We do move them to a different OU, 

"Sometimes AD admins will move a user to an OU for disabled users and take them out of any security groups."

The membership to that Jira Users, active directory, group is not removed. So if the user account is moved to a disabled users OU, should that still affect the local user in JIRA? User Schma targets the Jira Users group in a specific OU using the memberOf attribute. Group Schema: (&(objectCategory=Group)(name=Jira Users)). And the member schema uses member and memberOf with both attributes disabled/unchecked.

I should probably open a ticket at this point but if anything obvious stands out, please let me know.

Hi, 

I have the same issue :(

when I start to synchronize manually, all users back to groups.

in log I can find only this:

2018-08-09 15:08:18,604 Caesium-1-2 INFO ServiceRunner     [c.a.crowd.directory.DbCachingRemoteChangeOperations] removed [ 109 ] user members from [ Jira_MGMT ] in [ 1023ms ]

I'm sure that there are no any changes in AD 

Thanks, 

Krzysztof