You are using an external directory with LDAP Permissions "Read Only, with Local Groups" and can't deactivate users because the directory is Read Only.


Instead of deactivating users, you could remove them from the groups which provide application access.
In Jira, these groups are by default called jira-software-users, jira-servicedesk-users or jira-core-users
In Confluence it's the confluence-users and in Bitbucket the stash-users group.

If you created these groups directly in your active directory, they are not considered as local groups yet and you need to perform the steps below.

Change LDAP permissions settings for the external directory

For new users, you need to make sure that they are assigned to the groups providing application access,
as in the example of Jira and the jira-software-users group in the picture below.

Add users to a temporary group

The safest way to not forget who previously was a member of the groups providing application access is to add the users 
to a temporary group. This is because you'll need to remove the groups in the Active Directory / LDAP server in the next step, thus loosing the membership information in the Active Directory.

Delete Group in Active Directory/ LDAP and adjust directory in Jira, Confluence or Bitbucket

Please follow the steps described here:
Instead of the group name in the example in the above tutorial, please use jira-software-users or another group name, depending on your setup, i.e.:


After saving the new directory configuration, perform a full synchronization for that directory:

Add users from the temporary group to the group providing application access again

Only after performing the previous step you can add users to the group providing application access from within Jira, Confluence or Bitbucket.
Otherwise it just wouldn't work and look like nothing happened. Only in the log files on the server you'd see that you are still trying to add users to a read-only group.

So all users from the temporary group should now be added to i.e. jira-software-usersconfluence-users or the stash-users group.

Reset the default group membership action of LDAP directories

If you decide to remove groups provided in the Default Group Memberships section of the LDAP connector, you might want to consider resetting the flag that groups have been added.
This is because Atlassian only adds users to these groups on first login. Normally you could only do that with a database update,
read here:

If you check the corresponding box below the group picker:


With this setup you have now full control over group memberships for these groups in Jira, Confluence or Bitbucket directly.
Please note that you'll need version 4.4.0 or later of the License & User Deactivator app in order to remove users from groups as part of the automatic deactivation.